TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain.
While fuzzing the platform, the bug bounty researcher found that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to the execution of malicious code in a user’s browser session.
In addition, Taskiran found an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an attack in which threat actors can dupe users into submitting actions on their behalf to a web application as a trusted user.
“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” the bug bounty hunter said.
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18.
Taskiran was awarded a bug bounty reward of $3,860.
ZDNet has reached out to TikTok and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0