TikTok's top hacker enjoys account takeovers

Yusuf, a 23-year-old bug bounty hunter from Kurdistan, Iraq, is one of TikTok's top contributors. Hacking big tech companies started as a hobby, Yusuf told Cybernews.

TikTok kickstarted its Global Bug Bounty program in partnership with HackerOne and has awarded over $585,000 in bug bounties to over 250 ethical hackers responsible for disclosing over 450 vulnerabilities.

As of October 1, Yusuf is one of TikTok's top contributors, claiming this spot for the second consecutive year.

"As an independent security researcher on the HackerOne platform with five years of experience, Yusuf enjoys helping top companies protect their business," TikTok said.

Cybernews reached out to Yusuf (@s3c) to learn more about why he loves working with TikTok on vulnerability disclosure.

"When I first started, I didn't care about money. It was only my hobby. Now, it's my hobby and my main occupation," he told Cybernews.

Yusuf had been dreaming about becoming a hacker since he was a teenager. However, he didn't know where to start. Google didn't help much – Yusuf read that Python language is a must to become a hacker but thought it was too challenging to learn, eventually abandoning the idea.

"I thought if you know Facebook reset password and other social media and solving mobile problems, you are good at hacking. But one day, I watched a video on YouTube that said if you only know these things like Facebook problem-solving, it's useless, and you need to learn to program," Yusuf recalled.

That’s when he started learning HTML/CSS/JavaScript/PHP & MySQL technologies. "It was tough for me because I didn't know the English language well. So every day, I tried to learn English and these languages, and I learned a new thing until I could create a social media website. Then I started bug bounty because now I can understand how the web works and same as learning programming also I started learning bug bounty too," Yusuf said.

TikTok logo
By Shutterstock

By now, he has found over 40 bugs on TikTok. His personal favorite is the IDOR's vulnerability. By exploiting the bug, he could stop live translations, disable comments, and change privacy settings, such as those of messages.

Another exciting discovery was a bug that allowed a hacker to take over user accounts with only two clicks.

"The first time I challenged myself to find high-severity bugs on TikTok and spent three months on it without finding any bugs, but after that, I learned many things about how TikTok functions work. It's challenging. I am happy, and I enjoy it," the hacker recalled.

Yusuf’s cyber-hunting aspirations go beyond searching for TikTok bugs. He is also looking into Amazon, Zoom, Paypal, and other companies’ vulnerabilities. In 2020, Yusuf discovered a flaw allowing to hack every Zoom user with zero-click interaction and access any account without a password.

Yusuf is not an active user of TiikTok himself and only resorts to it for testing purposes. The hacker has over 20 TikTok accounts for that.

Sometimes, it can take as little as one hour to find a bug, but it might also take weeks. Yusuf enjoys finding bugs that could be exploited to take over accounts.

When asked about his future plans, Yusuf said he wants to keep learning new things, become one of the top 100 contributors on HackerOne, and get a good job.

Yusuf said that the attitude towards white-hat hackers in Kurdistan, Iraq, is welcoming. "A lot of people motivate me to continue my work. [...] I have a team (of friends). We all work together and share information and new ideas with each other, and they also helped lots of companies on HackerOne and other platforms," the hacker said.

TikTok vulnerability count is just a drop in the ocean. Last year alone, hackers reported over 66,000 vulnerabilities through HackerOne, signaling a 20% year-on-year increase. For white-hat hackers, this translated into $40 million in bug bounties.

More from Cyberenews:

Revisiting Eternal vulnerabilities amid Halloween horror

Support charity of the rich: Musk wants to add the “donate” option to Starlink

Is Meta in trouble? Everyone is mocking social media giant’s strategy

When the Black Axe falls: cybercrime suspects detained in global bust

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked