TikTok


22 total issues disclosed

$55,128 total paid publicly


Most disclosed (5 disclosures) — Cross-site Scripting (XSS) - Reflected

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
IDOR the ability to view support tickets of any user on seller platform Insecure Direct Object Reference (IDOR) lewaperbb Medium 2021-12-03
reflected xss on the path m.tiktok.com Cross-site Scripting (XSS) - Reflected semsem123 Medium 2021-12-03
BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS Improper Access Control - Generic boynamedboy Medium 2021-11-18
HTML Injection on tiktoktutorials via firstName parameter Improper Input Validation sirat_ Low 2021-10-30
XSS on tiktok.com Cross-site Scripting (XSS) - Reflected arifmkhls Medium 2021-10-23
Reflected XSS in TikTok endpoints Cross-site Scripting (XSS) - Reflected sh1yo Medium 2021-10-22
Broken Link on TikTokUS.Info Violation of Secure Design Principles sirat_ Low 2021-10-01
Information Disclosure on TikTok Unplugged Site Information Disclosure nanwn Low 2021-08-13
Blocked user can send notification by liking the message due to Logical Bug Privacy Violation sandipgyawali Low 2021-07-10
TikTok Session Donation CSRF via QR code login Cross-Site Request Forgery (CSRF) lauritz Low 2021-06-17
Blocked user can see live video Privacy Violation sandipgyawali Medium 2021-05-28
CSRF on TikTok Ads Portal Cross-Site Request Forgery (CSRF) probatorem Medium 2021-05-26
RCE on TikTok Ads Portal Code Injection bubbounty Critical 2021-04-15
Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform Insecure Direct Object Reference (IDOR) bubbounty High 2021-04-02
Multiple bugs leads to RCE on TikTok for Android Improper Export of Android Application Components dphoeniixx Critical 2021-03-17
External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing Server-Side Request Forgery (SSRF) ach High 2021-02-15
Lack of rate limitation on careers site allows the attacker to brute force the verification code Brute Force iambouali High 2021-02-11
[CSRF] TikTok Careers Portal Account Takeover Cross-Site Request Forgery (CSRF) lauritz High 2020-12-15
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration Cross-site Scripting (XSS) - Reflected milly High 2020-11-19
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration Cross-site Scripting (XSS) - Reflected milly High 2020-11-19
CSRF To Add New App In Developer Account And Bypassing Json Format Cross-Site Request Forgery (CSRF) sniper302 Medium 2020-11-07
Bypass "Industry Documents" Validation Improper Access Control - Generic gnux Low 2020-10-29