A researcher has earned over $11,000 from TikTok after disclosing a series of vulnerabilities that could have been chained for a high-impact 1-click exploit.
In a blog post published on Medium last week, Sayed Abdelhafiz, an 18-year-old researcher from Egypt, disclosed the details of several vulnerabilities he identified late last year and in early 2021 in the TikTok app for Android.
Abdelhafiz discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link.
Abdelhafiz told SecurityWeek that it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.
As for what an attacker could have done with this exploit, the researcher said “anything TikTok can do on your device, the exploit can do.”
“If the victim has given the storage permission to the TikTok application, the exploit can access the storage’s files,” Abdelhafiz explained. “If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn’t have permission to do anything.”
Abdelhafiz told SecurityWeek that TikTok acted quickly and rolled out a temporary fix within a week, but the social media giant only allowed him to disclose details of his findings last week.
The researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.
TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020. On its HackerOne page, the company says it has paid out nearly $130,000 to date, with top bounties ranging between $2,000 and $12,000.
Related: China-Made TikTok App Riddled With Security Holes: Researchers
Related: TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities
Related: Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems