TikTok or its operator ByteDance has paid a researcher 18 US dollars reward after he received him under a responsible disclosure procedure, i.e. under had reported two vulnerabilities in the video portal to a responsible, predefined framework. A combination of both vulnerabilities would have enabled the takeover of TikTok accounts “with one click” under certain conditions.

As from the documentation of the process on the bug bounty platform Hackerone, through which the Responsible Disclosure process ran, the researcher Muhammed Taskiran (“milly”) submitted his report to the TikTok team at the end of August. The determined severity of the vulnerability combination was increased from medium (6.1) to high (8.2) at the beginning of September. On 18 September the security problem was then resolved on the server side. There was no need for action for users.

Transfer exploit code as URL parameter The information on the security gaps and the attack combination created by “milly” at Hackerone is limited to brief summaries. Accordingly, one of the two vulnerabilities enabled so-called reflected, i.e. server-side cross-site scripting by transferring a URL parameter that had not been adequately checked and cleaned on the server side.

The second vulnerability concerned an end point in the TikTok infrastructure that was vulnerable to Cross-Site Request Forgery (CSRF). CSRF attacks enable transactions in the context of a user who is already logged in.

The combination of both gaps to form an exploit chain was achieved by “milly” with JavaScript code, which, thanks to vulnerability one, was initially sent as a URL parameter the TikTok server could send and execute. The code triggered the CSRF vulnerability there – with the result that the researcher was able to assign new passwords for existing accounts. The whole thing only worked if a (unspecified) third-party app had been used to log into the respective account in the past.

TikTok – these alternatives are available (ovw)