XSS Blind Stored at 2 Assets TikTok
Hi everyone,
In this article, I share the findings of XSS Blind Stored at 2 TikTok Assets.
When I decided to hunt for bugs in the TikTok program, and I spent 1 month looking for this XSS.
This XSS finding started when I created a product on a TikTok seller account (https://seller-id.tiktok.com/)
I entered the XSS payload in the product name in the seller’s account.
And the result is that there is no XSS on https://seller-id.tiktok.com/ that I get. And I decided not to continue looking for XSS there.
And the next day, when I continued testing on TikTok Android Apps assets, and I discovered the features of my product.
I tried to see the Product URL Location from the **Share** feature above.
And I get a URL of the form :
https://oec-api.tiktokv.com/view/product/1231414124124124
And it turns out to be the same, there is no XSS here :(
I was silent for a moment and tried to see the view source of the page.
And apparently I found a vulnerable XSS snippet there in the form of:
<meta name='keywords' content='["><img src=x onerror=alert()>], TikTok, TokTok Shop' />
And that’s what made me give up, but after I know the snippet of the responses, I tried to change my product name from the TikTok seller account (https://seller-id.tiktok.com/).
Now I’m using an XSS payload with a single quote ( ‘ ) prefix :
‘><img src=x onerror=alert()>
And finally a pop up appears :)
Let’s see the responses from view source:
<meta name=’keywords’ content=’[’><img src=x onerror=alert()>], TikTok, TokTok Shop’ />
And yes, there the ‘> prefix is used to close the input value in the META TAG. And I got the XSS Blind Stored here.
I was overjoyed and immediately reported it to the TikTok team.
After I finished reporting the issue, I continued my testing, and it turned out that I found URLs for other TikTok assets that were affected by XSS in my initial findings.
The affected assets are https://shop.tiktok.com/
I also reported this finding to the TikTok Team.
Report :
https://hackerone.com/reports/1554048
Affected Assets :
Timeline :
Report : Apr, 29th
Fix & Resolved : May, 13th