TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities
TikTok has awarded a researcher $4,000 for uncovering and reporting vulnerabilities that could have been exploited to perform account takeover. The bugs were found by Muhammed Taskiran, a German cybersecurity researcher. Taskiran reported the flaws in August, and they have since been patched by the social media platform. Taskiran states that he noticed the vulnerabilities when a URL parameter on tiktok.com was “reflecting its value without being properly sanitized.”
He then discovered a cross-site scripting (XSS) vulnerability that could be exploited alongside a cross-site request (CSRF) flaw that allowed him to set a new password for accounts that had utilized third-party apps to sign up. The account takeover requires that targeted users click on a malicious link, however. The bug was classified as high severity, resulting in a large payout for Taskiran.