TikTok has patched two common types of vulnerability which a researcher combined to create a “one-click” account takeover attack.
Submitted by Muhammed Taskiran via HackerOne back on August 26, the bugs were originally labelled medium severity before being upgraded to high (CVSS 8.2) a few days later.
“While fuzzing, I discovered a URL parameter reflecting its value without being properly sanitized. Thus, I was able to achieve reflected [Cross-Site Scripting] XSS. In addition, I found an endpoint which was vulnerable to [Cross-Site Request Forgery] CSRF,” he wrote.
The endpoint allowed Taskiran to set a new password on accounts which had used third-party apps in sign-up.
“I combined both vulnerabilities by crafting a simple JavaScript payload — triggering the CSRF — which I injected into the vulnerable URL parameter from earlier, to archive a ‘one click account takeover,’” he continued.
The issue was finally resolved on September 18 and Taskiran was awarded $3860 for his efforts.
Jayant Shukla, CTO and co-founder of K2 Cyber Security, explained that XSS and CSRF are a regular feature of the OWASP Top 10 web application security risks.
“Reflected XSS is part of the XSS category of risks and CSRF is part of the injection category. The fact that these types of vulnerabilities continue to exist in web sites and applications like TikTok shows that not enough organizations test and protect their websites and applications against the OWASP Top 10,” he added.
“NIST recently updated its SP800-53 Security and Privacy Framework to add focus on these issues by including the requirement for RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). These types of security solutions specifically target the risks outlined by the OWASP Top 10.”
It’s not the first time this year TikTok has been forced to patch a critical vulnerability. In January, Check Point revealed multiple bugs which could have been exploited to hijack user accounts and steal personal data.
These included another XSS flaw, this time in an ads subdomain of the main TikTok site, and an SMS link spoofing bug in a feature on the main TikTok site.