TikTok patches reflected XSS bug, one-click account takeover exploit

TikTok patches reflected XSS bug, one-click account takeover exploit

TikTok has patched a reflected XSS security defect along with a bug leading into account takeover affecting the company’s domain.

As reported via the Bug bounty platform system HackerOne by writer Muhammed”Milly” Taskiran, the initial exposure relates to a URL parameter about the tiktok.com domain that was not correctly sanitized.

While fuzzing the stage, the insect bounty researcher discovered that this problem could be tapped to reach reflected cross-site scripting (XSS), possibly causing the execution of malicious code in a user’s browser session.

Additionally, Taskiran discovered an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an assault where hazard actors can dupe consumers into submitting activities on their behalf into an internet application as a user.

Taskiran managed to produce a simple JavaScript payload that united both vulnerabilities. The script managed to activate the CSRF problem, then when injected to the exposed URL parameter, could result in some searchable accounts takeover.

“The endpoint allowed me to specify a new password accounts that had utilized third-party programs to signup,” the insect bounty hunter stated.

Taskiran was granted a reward of $3,860.

From September 3, TikTok had triaged the safety difficulties and assigned a seriousness score of 8.2.

Leave a Comment

Your email address will not be published. Required fields are marked *