Multiple vulnerability leading to account takeover in TikTok SMB subdomain.

I’m here to tell you how I account takeover in TikTok I submitted this bug in HackerOne and I got 1000$ for this bug

this domain’s third party and out of scope he pays bounty because it’s Critical bug

First:- how did I find this domain? i take this URL from these ads it’s coming to my email

second:- this url tiktoksmbacademyeu.com

in a profile name and company name, it’s vulnerable to xss and it’s not protected to csrf or (no have CSRF token) ok this is done no problem it’s working CSRF good, i can exploit users from csrf but here, I found another bug its IDOR from changing id from 1000 to any id you can change email and name

this HTTP REQUEST from Burp after i saved profile setting i found this

hacked
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”u_id”

1504
— — — — — — — — — — — — — — -284212657035056129353908728991
Content-Disposition: form-data; name=”upload_an_image”

I create other accounts, I see this u_id changed from 1504 to 1505

in a burp, i changed the request and I changed the id from 1504 to 1505
i see two accounts have one email :D IDOR it’s working

VIDEO PoC

https://youtu.be/AThu-aa7VE0

https://twitter.com/PinkDraconian/status/1490760255973863424

Buy ME a coffee https://www.buymeacoffee.com/lu3ky13

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store