TikTok has patched a reflected XSS security defect along with a bug leading into account takeover affecting the company’s domain.
As reported via the Bug bounty platform system HackerOne by writer Muhammed”Milly” Taskiran, the initial exposure relates to a URL parameter about the tiktok.com domain that was not correctly sanitized.
While fuzzing the stage, the insect bounty researcher discovered that this problem could be tapped to reach reflected cross-site scripting (XSS), possibly causing the execution of malicious code in a user’s browser session.
Additionally, Taskiran discovered an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an assault where hazard actors can dupe consumers into submitting activities on their behalf into an internet application as a user.
“The endpoint allowed me to specify a new password accounts that had utilized third-party programs to signup,” the insect bounty hunter stated.
Taskiran was granted a reward of $3,860.
From September 3, TikTok had triaged the safety difficulties and assigned a seriousness score of 8.2.