Security Experts:

TikTok Pays Out $11,000 Bounty for High-Impact Exploit

TikTok vulnerabiliites

A researcher has earned over $11,000 from TikTok after disclosing a series of vulnerabilities that could have been chained for a high-impact 1-click exploit.

In a blog post published on Medium last week, Sayed Abdelhafiz, an 18-year-old researcher from Egypt, disclosed the details of several vulnerabilities he identified late last year and in early 2021 in the TikTok app for Android.

Abdelhafiz discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link.

Abdelhafiz told SecurityWeek that it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.

As for what an attacker could have done with this exploit, the researcher said “anything TikTok can do on your device, the exploit can do.”

“If the victim has given the storage permission to the TikTok application, the exploit can access the storage's files,” Abdelhafiz explained. “If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn't have permission to do anything.”

Abdelhafiz told SecurityWeek that TikTok acted quickly and rolled out a temporary fix within a week, but the social media giant only allowed him to disclose details of his findings last week.

The researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.

TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020. On its HackerOne page, the company says it has paid out nearly $130,000 to date, with top bounties ranging between $2,000 and $12,000.

Related: China-Made TikTok App Riddled With Security Holes: Researchers

Related: TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities

Related: Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.