TikTok Fixed Vulnerabilities That Allowed Account Takeover in One Click

The video service TikTok has fixed two vulnerabilities that, when combined, allowed attackers to easily take control of someone else’s account. One vulnerability was found on the website, while the other appeared in the client application. The corresponding patches were released on September 18, and information about the bugs was published at the end of last week.

Both issues were discovered by a Berlin-based researcher using the pseudonym milly. He submitted a report about his findings through the HackerOne bug bounty program and was awarded $3,860 for his efforts.

Details of the Vulnerabilities

According to milly’s post on HackerOne, the website vulnerability was caused by improper sanitization of a URL parameter and is classified as a “reflected cross-site scripting” (XSS) issue. Exploiting this flaw allowed malicious code to be executed in the user’s browser via an XSS attack. The severity of this vulnerability was rated as high (8.2 out of 10 on the CVSS scale), but it has not yet been assigned a CVE identifier.

The vulnerability in the TikTok client was a “cross-site request forgery” (CSRF) issue. Exploiting this allowed an attacker to set a new password for an account that used third-party login (Single Sign-On, or SSO) and perform actions on behalf of the legitimate account owner.

How the Attack Worked

To demonstrate the vulnerabilities, the researcher created a simple JavaScript exploit for the CSRF issue and embedded it in a TikTok URL as the value of the vulnerable parameter. Using this combination, milly was able to effectively take control of an account.