Saturday, October 16, 2021

TikTok patches reflected XSS bug, one-click account takeover exploit

Must Read

Amnesia:33 vulnerabilities Impact Countless Industrial and Smart Devices

Security researchers have identified 33 security defects in four accessible TCP/IP piles used across a broad selection of intelligent...

Armed Forces confirm hacking of their data network

The Malaysian Armed Forces (ATM) verified that there was a cyber assault on its information network yesterday.Armed Forces chief...

Ransom payments are declining as many victims decide not to pay

A high percentage of ransom victims choose to opt-out of pay the ransom amounts but don't assume that the...

TikTok has patched a reflected XSS security defect along with a bug leading into account takeover affecting the company’s domain.

As reported via the Bug bounty platform system HackerOne by writer Muhammed”Milly” Taskiran, the initial exposure relates to a URL parameter about the tiktok.com domain that was not correctly sanitized.

While fuzzing the stage, the insect bounty researcher discovered that this problem could be tapped to reach reflected cross-site scripting (XSS), possibly causing the execution of malicious code in a user’s browser session.

Additionally, Taskiran discovered an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an assault where hazard actors can dupe consumers into submitting activities on their behalf into an internet application as a user.

Taskiran managed to produce a simple JavaScript payload that united both vulnerabilities. The script managed to activate the CSRF problem, then when injected to the exposed URL parameter, could result in some searchable accounts takeover.

“The endpoint allowed me to specify a new password accounts that had utilized third-party programs to signup,” the insect bounty hunter stated.

Taskiran was granted a reward of $3,860.

From September 3, TikTok had triaged the safety difficulties and assigned a seriousness score of 8.2.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This