Security News > 2020 > November > TikTok fixes bugs allowing account takeover with one click
TikTok has addressed two vulnerabilities that could have allowed attackers to take over accounts with a single click when chained together for users who signed-up via third-party apps.
German bug bounty hunter Muhammed Taskiran discovered a reflected cross-site scripting security bug - also known as a non-persistent XSS - in a TikTok URL parameter reflecting its value without proper sanitization.
Taskiran reported the account takeover attack chain to TikTok on August 26, 2020, with the company resolving the issues and awarding the bug hunter with a $3,860 bounty on September 18.
TikTok also addressed a batch of security vulnerabilities in its infrastructure allowing potential attackers to hijack accounts to manipulate users' videos and steal their info.
"TikTok is committed to protecting user data," TikTok security engineer Luke Deshotels said at the time.