TikTok fixes bugs that allows account takeover with one click
TikTok has patched two vulnerabilities that could have let attackers choose more than accounts with a single click on when chained collectively for consumers who signed-up through third-get together applications.
The social media platform’s android app currently has far more than 1 billion downloads according to official Google Play Shop stats and has crossed the 2 billion installs mark on all cell platforms in April 2020 dependent on Sensor Tower Keep Intelligence estimates.
German bug bounty hunter Muhammed Taskiran observed a reflected cross-web page scripting (XSS) security bug also known as a non-persistent XSS — in a TikTok URL parameter reflecting its value devoid of proper sanitization.
Taskiran discovered the reflected XSS that could have also led to info exfiltration when fuzz testing the company’s www.tiktok.com and m.tiktok.com domains.
He also uncovered a TikTok API endpoint vulnerable to cross-web-site ask for forgery (CSRF) attacks that created it possible to improve the account passwords for consumers who signed-up applying third-social gathering apps.
He reported that the endpoint enabled him to established a new password on accounts which had made use of third-occasion apps to signal-up.
Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, and the business settled the issues and awarded him with a $3,860 bounty on September 18.
Graphic Credits : CNBC
The put up TikTok fixes bugs that permits account takeover with a person click on 1st appeared on Cybersafe News.