Published on

Bug bounty TikTok

Introduction

Last month, a remarkable case emerged involving an individual who successfully earned $ 5,000 through TikTok's bug bounty program. This program incentivizes users to identify and report vulnerabilities within the platform, thereby enhancing overall security.

The individual in question discovered a vulnerability specifically related to the Android version of the TikTok application. This vulnerability was classified as an Insecure Direct Object Reference (IDOR). Essentially, this type of vulnerability occurs when a web application is not adequately shielding sensitive objects from being accessed by unauthorized users.

To illustrate, consider a hypothetical website that provides access to invoices. If a user modifies the identifier in the URL, they might inadvertently gain access to someone else’s invoice, indicating a significant security oversight. The TikTok application exhibited a similar flaw.

In this instance, the individual created multiple TikTok accounts and published memories (content). He noticed that depending on the visibility settings—which allowed content to be shared publicly, with friends, or kept private—there was a poorly controlled parameter. By adjusting this parameter, he managed to access private memories of other content creators, violating their privacy.

Upon documenting this vulnerability, he reported it through TikTok's bug bounty program. Due to the severity of the flaw and its implications on user privacy, the company rewarded him with a notable sum: $ 5,000. This incident highlights not only the importance of cybersecurity but also the potential financial rewards that can come from responsibly reporting vulnerabilities.

Keywords

  • Bug bounty
  • TikTok
  • $ 5,000
  • Vulnerability
  • Insecure Direct Object Reference (IDOR)
  • Security oversight
  • Multiple accounts
  • Private memories
  • User privacy

FAQ

What is a bug bounty program?
A bug bounty program is an initiative that offers financial rewards to individuals who identify and report vulnerabilities in software applications.

How did the individual make money through TikTok's program?
He discovered a vulnerability in the TikTok app that allowed him to access private content of other users, which he then reported to TikTok for a reward.

What type of vulnerability did he find?
He found an Insecure Direct Object Reference (IDOR) vulnerability, which allowed unauthorized access to sensitive data.

What is an Insecure Direct Object Reference (IDOR)?
IDOR is a type of security vulnerability where an application exposes a reference to an object, enabling unauthorized users to access that object by manipulating the reference.

How much did TikTok reward him for the discovery?
He received $ 5,000 for reporting the vulnerability through TikTok's bug bounty program.