TikTok has encountered two vulnerabilities that could allow intruders to access accounts with a single click when logging in with registered users through third-party applications.
Beijing-based BeteDance social media platform is used to share short looping videos (3 to 60 seconds).
TikTok Android app currently has over 1 billion installs according to official statistics Google Play Store and in April 2020 exceeded 2 billion installs according to Sensor Tower Store Intelligence estimates.
German error hunter Muhammed Taskiran has discovered a cross-site scripting (XSS) security error in a TikTok URL parameter that reflects its value without proper sanitization (data sanitization is the process of ensuring that data complies with the requirements of the subsystem to which it is transmitted ).
Taskiran found the reflected XSS that could also lead to data exfiltration, while fuzz - the fuzz testing is an automated technique software testing - tests the company's www.tiktok.com and m.tiktok.com domains.
It also found a vulnerable endpoint API TikTok in cross-site request forgery (CSRF) attacks that allowed account passwords to be changed for registered users using third-party applications.
"The endpoint allowed me to set a new password for user accounts that had used third-party applications to sign up," Taskiran said.
Taskiran reported the vulnerabilities to TikTok on August 26, 2020, with the company resolving the issues and rewarding the bug hunter with $ 3.860 on September 18.
TikTok also addressed a security vulnerability in its infrastructure, allowing potential intruders to break into accounts to manipulate users' videos and steal information their.
Security issues were revealed to ByteDance by Check Point investigators in late November 2019, with the company correcting the bugs within a month.
Intruders could have used TikTok's SMS system to exploit vulnerabilities to upload unauthorized videos, delete or move users' videos from private to public, and steal sensitive privacy.
"TikTok is committed to protecting users' data," said TikTok security engineer Luke Deshotels at the time. "Like many organizations, we encourage them security researchers to reveal to us privately the zero-day vulnerabilities that they can discover ”.