Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28799: Report security vulnerabilities | TikTok Help Center

The TikTok application before 23.8.4 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.

CVE
#sql#xss#csrf#vulnerability#web#android#java#perl#ssrf#auth

Report security vulnerabilities

****Report Security Vulnerabilities****

TikTok’s mission is to inspire creativity and bring joy. The security and health of our platform closely tie to this mission. If things aren’t working properly on TikTok, our dedicated security team is ready to respond and resolve those issues. In addition to our team of experienced security professionals and industry-leading security technologies, we rely on, and value, external input that flag technical security bugs on our platform. With that in mind, we have defined a set of policies to guide our external partners on properly reporting vulnerabilities. We welcome your input and appreciate your efforts to safeguard TikTok.

**

Vulnerability Reporting Policy

**

   •  For questions, concerns, or issues with your profile, please click here.  
   •  For questions, concerns, or issues with TikTok's privacy policy or fraud, please click here.  
   •  If someone is misusing your brand, contact us.

If you believe you have discovered a security bug or vulnerability on the TikTok app or website, please submit your report here. You will be redirected to the website of HackerOne, our trusted security bug bounty partner. HackerOne provides more information on submission guidelines and will allow you to submit a report.

TikTok follows a Coordinated Disclosure Policy. Please refer to the Disclosure and Confidentiality Policy defined in TikTok HackerOne Policy for more details.

**

Guidelines

**

Please visit the Program Rules and Guidelines section in TikTok HackerOne Policy for details.

**

Frequently Asked Questions (FAQ)

**

What type of issues are considered security vulnerabilities and should be reported?

Issues regarding technical security bugs affecting TikTok should be reported here. Issues include, but are not limited to the following:
• XSS, CSRF, SSRF , SQL Injection, ROP, JOP, etc. • Leaked or hard coded sensitive credentials • Exploitable and dangerous APIs.
• Control flow hijacking attacks
• User data leaks
• Issues listed in the OWASP Top Ten for Web Apps
• Issues listed in the OWASP Top Ten for Mobile Apps
• Authentication or authorization vulnerabilities
• Access to internal TikTok resources like backend source code, database, etc.
• Open redirect - if an additional security impact can be demonstrated
• Anti-Automation security bypasses or lack of rate limiting on authenticated endpoints
• Using the TikTok application for privilege escalation to attack the mobile operating system
• Arbitrary code execution on TikTok servers/clients

Is there a reward, bounty or CVE for confirmed vulnerabilities?

Please visit Rewards & Not Eligible for Reward sections in TikTok HackerOne Policy for more details about bounty.

How much time is needed before I can publish my findings?

We request that security researchers follow the Disclosure and Confidentiality Policy defined in TikTok HackerOne Policy.

Which web domains are within scope for TikTok?

Please visit In Scope section in TikTok HackerOne Policy for details.

How can I be notified that a security issue I’ve reported is being investigated?

The security issues reported will be evaluated based on criticality and business priority and go through our investigation triage pipeline accordingly. We will keep you informed of the progress of the case to the best of our ability.

Was this helpful?

Helpful links

Creating an account

Setting up your profile

Creating a TikTok Video

Related news

TikTok Users Were Vulnerable to a Single-Click Attack

Microsoft disclosed the flaw in the Android app’s deep link verification process, which has since been fixed.

TikTok vulnerability could have allowed hijackers to take over accounts

Categories: News Tags: Exploit Tags: vulnerability Tags: Tik-Tok Tags: Microsoft Tags: JavaScript We take a look at a TikTok exploit discovered by Microsoft and passed on to the social media giant to have fixed. (Read more...) The post TikTok vulnerability could have allowed hijackers to take over accounts appeared first on Malwarebytes Labs.

Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Microsoft on Wednesday disclosed details of a now-patched "high severity vulnerability" in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link. "Attackers could have leveraged the vulnerability to hijack an account without users' awareness if a targeted user simply clicked a specially crafted link," Dimitrios Valsamaras of the Microsoft

TikTok for Android Bug Allows Single-Click Account Hijack

A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907