XSS Blind Stored at Asset Domain Android Apps TikTok
First, let me introduce a little background, I am a young teenager graduated from Senior High School and IT Security Enthusiast from Indonesia. Now, I am 21 years old.
I once had a dream that I wanted to find a valid vulnerability on some Tech Giant Site, and I thought it wasn’t easy and I had to fight. Exactly today I made a Write Up about the findings of Vulnerabilities on TikTok.
The vulnerability I found was XSS Blind Stored at https://webcast.tiktokv.com/
When I try to find XSS from Android Apps TikTok to get new Coverage URLs and I do that to minimize Duplicate findings from Other Research. And I found a feature in TikTok’s Android Apps, namely the Create Live Event Feature.
Then I tried to enter the XSS payload in all the forms.
“><img src=x onerror=write(document.domain)>
A little information, why don’t I use alert(document.domain)?
I think if I use alert() inside Android Apps, and it doesn’t work. For that I tried to use write() so I can see whether XSS is working or not in Android Apss, and it turns out that the XSS payload I input is triggered in TikTok Asset Domain.
And the Live Event I created triggers XSS. Then I pause and see, is XSS triggered for myself or can it be triggered for other users?
Then, it turned out that the Live Event that I created had to wait for a review by the TikTok team so that it could be accessed by the public, and of course that made me feel that my findings were only SELF XSS. And it’s not good for me :(
And I try to be patient and wait until my Live Event has been reviewed by the TikTok team. And I didn’t report this finding to TikTok at that time because the XSS I got was only SELF XSS.
And after waiting 30 minutes, finally the Live Event that I created has been approved by the TikTok Review team. And I tried to see if I could use XSS there for other users, and of course I found something unique here, namely that I can promote my Live Event by posting a Video to my TikTok account, and of course it will reach other users : )
And this is the result of the video post:
And I managed to leverage Self XSS to Blind Stored XSS :)
Report : Apr 16th
Triaged : Apr 21st
Bounty : $1,500
Fix : May 11th