- Published on
IDOR bug affecting TikTok allowing for unauthorized account changes (Bug Bounty Report)
Introduction
Introduction
In this article, we discuss a critical vulnerability that was discovered in TikTok's platform, known as an Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA). This vulnerability allowed for unauthorized account changes by manipulating HTTP requests.
Description of Vulnerability
The vulnerability, referred to as IDOR, involves exploiting the HTTP requests. By capturing these requests and swapping out the user IDs present in them, an attacker could force link a victim's account to their own.
Manipulation of HTTP Request
This was accomplished by manipulating the HTTP request captured during the interaction with TikTok. By swapping out user IDs present in the request, unauthorized access was achieved.
Obtaining Open ID
Acquiring someone's Open ID is more complicated than a user ID but still possible. It can be accessed via the developer API, which provided public information.
Attack Scenario
Once an attacker obtained the Open ID of a victim, they could simply swap out the user IDs, forcing the victim's account to link to the attacker's account. This could result in unauthorized changes performed on the victim's account.
Forced Changes
Due to pairing process, the user's display name would forcibly change to the attacker's display name. This issue affected any TikTok account, including those run by TikTok itself.
Social Engineering Risks
Since the paired account appears authorized, attackers could potentially use social engineering techniques to convince TikTok support to reset the account, believing the attacker was the legitimate owner.
Outcome
After reporting this vulnerability to TikTok, the severity of the issue was recognized, and a reward of $ 3,000 was given as part of their bug bounty program.
Conclusion
This significant vulnerability highlights the importance of robust security measures, particularly in preventing IDOR attacks. Continuous monitoring and security reviews are vital to protect user accounts from unauthorized changes.