How I hacked worldwide Tiktok users

Hello everyone,

In this write up I am sharing a TikTok vulnerability reported via TikTok’s bug bounty program

While I was testing the Tiktok app to find a vulnerability I saw a part called family pairing and it’s let parents control account their younger users like turn off/on the search bar and turn off/on account to private/public and many more things like the direct message, comments, liked videos….

I thought it’s a good position for testing because these functions are complex in the backend app so I start testing in this part

I created 2 accounts 1 for parents 1 for children and then linked it, and I was turn on my burp suite to catch the requests,

In the parent account, I tried to change my children account from public to private so once I clicked the turn on button private I catch the request in the burp suite

Let’s see what’s happening in this request,
I saw there are some parameters each of them does different actions like

restriction_type and restriction_value and child_user_id

Type is for parts like
Number 1 for direct message
Number 2 for liked videos
Number 3 for comments
Number 4 for public/private account

And Value for if this turn on/off/noone
Like 1 or 2 or 3 or 0

And child_user_id for your children account id

So i thought what happens if i change the child_user_id to another user id so i changed it and i see BoOM it worked😱

Now I can change sensitive settings of any account just by user id of the account 😳

proof of content

impact
an attacker would have potentially been able to collect all users id of Tiktok and change all users from public to private accounts and stop all lives and videos on the ForYou page and all comments…etc

So I quickly reported it to Tiktok and they resolved the issue quickly.

Timeline:

Reported — Aug 2nd

Awarded $$$$— Aug 6th

Resolved — Aug 13th

Thank you for reading.

Twitter: @s3c_krd

--

--

--

An independent security researcher from kurdistan region / web developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

WhatsApp On Android

Secure Authentication Development Method

{UPDATE} Bravo Sniper Assassin Fury. Commando Shoot Hack Free Resources Generator

Dapp.com Forms Exclusive Partnership with Opera for its New Dapp Store

How to use Zecrey via Android?

Force Network— TOR comparison

Wanna Crypt: Not the first and definitely not the Last

Y3D V2 Overview

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
s3c

s3c

An independent security researcher from kurdistan region / web developer

More from Medium

Maintaining Privacy and Security Online

Maintaining Privacy Online

Phishing Emails 1: Try Hack Me

How File Hashes Fail As A Malware Detection Heuristic

TRY HACK ME: Write-Up Carnage-Malware Investigation using Wireshark