Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

TikTok Patches Bugs Enabling One-Click Account Takeover

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,544
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
TikTok has patched two common types of vulnerability which a researcher combined to create a “one-click” account takeover attack.

Submitted by Muhammed Taskiran via HackerOne back on August 26, the bugs were originally labelled medium severity before being upgraded to high (CVSS 8.2) a few days later.

“While fuzzing, I discovered a URL parameter reflecting its value without being properly sanitized. Thus, I was able to achieve reflected [Cross-Site Scripting] XSS. In addition, I found an endpoint which was vulnerable to [Cross-Site Request Forgery] CSRF,” he wrote.

The endpoint allowed Taskiran to set a new password on accounts which had used third-party apps in sign-up.

“I combined both vulnerabilities by crafting a simple JavaScript payload — triggering the CSRF — which I injected into the vulnerable URL parameter from earlier, to archive a ‘one click account takeover,’” he continued.

The issue was finally resolved on September 18 and Taskiran was awarded $3860 for his efforts.

Jayant Shukla, CTO and co-founder of K2 Cyber Security, explained that XSS and CSRF are a regular feature of the OWASP Top 10 web application security risks.

“Reflected XSS is part of the XSS category of risks and CSRF is part of the injection category. The fact that these types of vulnerabilities continue to exist in web sites and applications like TikTok shows that not enough organizations test and protect their websites and applications against the OWASP Top 10,” he added.

“NIST recently updated its SP800-53 Security and Privacy Framework to add focus on these issues by including the requirement for RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). These types of security solutions specifically target the risks outlined by the OWASP Top 10.”

It’s not the first time this year TikTok has been forced to patch a critical vulnerability. In January, Check Point revealed multiple bugs which could have been exploited to hijack user accounts and steal personal data.

These included another XSS flaw, this time in an ads subdomain of the main TikTok site, and an SMS link spoofing bug in a feature on the main TikTok site.
 
Ad End 1 February 2024
Top