Thursday, January 21, 18:15
Home security TikTok fixes bugs that allowed account breaches

TikTok fixes bugs that allowed account breaches

TikTok has encountered two vulnerabilities that could allow intruders to access accounts with a single click when logging in with registered users through third-party applications.

Beijing-based BeteDance social media platform is used to share short looping videos (3 to 60 seconds).

TikTok Android app currently has over 1 billion installs according to official statistics Google Play Store and in April 2020 exceeded 2 billion installs according to Sensor Tower Store Intelligence estimates.


German error hunter Muhammed Taskiran has discovered a cross-site scripting (XSS) security error in a TikTok URL parameter that reflects its value without proper sanitization (data sanitization is the process of ensuring that data complies with the requirements of the subsystem to which it is transmitted ).

Taskiran found the reflected XSS that could also lead to data exfiltration, while fuzz - the fuzz testing is an automated technique software testing - tests the company's and domains.

It also found a vulnerable endpoint API TikTok in cross-site request forgery (CSRF) attacks that allowed account passwords to be changed for registered users using third-party applications.

"The endpoint allowed me to set a new password for user accounts that had used third-party applications to sign up," Taskiran said.

"I combined both vulnerabilities by creating a simple JavaScript payload - enabling CSRF - which I have entered in the vulnerable parameter URL in advance to create a one-click account. "

Taskiran reported the vulnerabilities to TikTok on August 26, 2020, with the company resolving the issues and rewarding the bug hunter with $ 3.860 on September 18.

TikTok also addressed a security vulnerability in its infrastructure, allowing potential intruders to break into accounts to manipulate users' videos and steal information their.

Security issues were revealed to ByteDance by Check Point investigators in late November 2019, with the company correcting the bugs within a month.

Intruders could have used TikTok's SMS system to exploit vulnerabilities to upload unauthorized videos, delete or move users' videos from private to public, and steal sensitive privacy.

"TikTok is committed to protecting users' data," said TikTok security engineer Luke Deshotels at the time. "Like many organizations, we encourage them security researchers to reveal to us privately the zero-day vulnerabilities that they can discover ”.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...