Security News > 2020 > November > TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities
A researcher has earned nearly $4,000 from TikTok after discovering a couple of vulnerabilities that could have been chained to hijack accounts.
Muhammed Taskiran, a 20-year-old researcher based in Germany, informed TikTok in late August that a URL parameter on tiktok.com was "Reflecting its value without being properly sanitized."
An attacker could have exploited the vulnerabilities to change an account's password simply by getting the targeted user to click on a malicious link.
"I combined both vulnerabilities by crafting a simple JavaScript payload - triggering the CSRF - which I injected into the vulnerable URL parameter from earlier, to archive a 'one click account takeover'," Taskiran explained in a report submitted to TikTok via the HackerOne platform.
Taskiran also reported two other vulnerabilities to TikTok in recent months, including one that earned him just over $500. TikTok is offering between $1,700 and $6,900 for high-severity vulnerabilities and between $6,900 and $14,800 for critical vulnerabilities.