TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain. Reported via the bug bounty platform HackerOne by researcher Muhammed ‘Milly’ Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.
“While fuzzing, I discovered a URL parameter reflecting its value without being properly sanitized. Thus, I was able to achieve reflected [Cross-Site Scripting] XSS. In addition, I found an endpoint which was vulnerable to [Cross-Site Request Forgery] CSRF,” the bug bounty hunter said.
The endpoint allowed Taskiran to set a new password on accounts which had used third-party apps in sign-up.
The issue was finally resolved on September 18 and Taskiran was awarded $3860 for his efforts.
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18.
Jayant Shukla, CTO and co-founder of K2 Cyber Security, explained that XSS and CSRF are a regular feature of the OWASP Top 10 web application security risks.
“Reflected XSS is part of the XSS category of risks and CSRF is part of the injection category. The fact that these types of vulnerabilities continue to exist in web sites and applications like TikTok shows that not enough organizations test and protect their websites and applications against the OWASP Top 10,” he added.
It’s not the first time this year TikTok has been forced to patch a critical vulnerability. In January, Check Point revealed multiple bugs which could have been exploited to hijack user accounts and steal personal data.
These included another XSS flaw, this time in an ads subdomain of the main TikTok site, and an SMS link spoofing bug in a feature on the main TikTok site.
Recently, TikTok has also been in news for being a lifesaver for a woman living in Hagerstown. A stalker broke into her apartment, thankfully she was able to film him as he stepped inside because she was recording a TikTok video. The stalker has been arrested.
Tiktok has also been in news for reportedly testing longer three-minute videos for some users, this year.