TikTok Bug Bounty Program Statistics

TikTok Program Statistics

22 total issues disclosed

$55,128 total paid publicly

Most disclosed (5 disclosures) — Cross-site Scripting (XSS) - Reflected

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
IDOR the ability to view support tickets of any user on seller platform	Insecure Direct Object Reference (IDOR)	lewaperbb	Medium	2021-12-03
reflected xss on the path m.tiktok.com	Cross-site Scripting (XSS) - Reflected	semsem123	Medium	2021-12-03
BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS	Improper Access Control - Generic	boynamedboy	Medium	2021-11-18
HTML Injection on tiktoktutorials via firstName parameter	Improper Input Validation	sirat_	Low	2021-10-30
XSS on tiktok.com	Cross-site Scripting (XSS) - Reflected	arifmkhls	Medium	2021-10-23
Reflected XSS in TikTok endpoints	Cross-site Scripting (XSS) - Reflected	sh1yo	Medium	2021-10-22
Broken Link on TikTokUS.Info	Violation of Secure Design Principles	sirat_	Low	2021-10-01
Information Disclosure on TikTok Unplugged Site	Information Disclosure	nanwn	Low	2021-08-13
Blocked user can send notification by liking the message due to Logical Bug	Privacy Violation	sandipgyawali	Low	2021-07-10
TikTok Session Donation CSRF via QR code login	Cross-Site Request Forgery (CSRF)	lauritz	Low	2021-06-17
Blocked user can see live video	Privacy Violation	sandipgyawali	Medium	2021-05-28
CSRF on TikTok Ads Portal	Cross-Site Request Forgery (CSRF)	probatorem	Medium	2021-05-26
RCE on TikTok Ads Portal	Code Injection	bubbounty	Critical	2021-04-15
Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform	Insecure Direct Object Reference (IDOR)	bubbounty	High	2021-04-02
Multiple bugs leads to RCE on TikTok for Android	Improper Export of Android Application Components	dphoeniixx	Critical	2021-03-17
External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing	Server-Side Request Forgery (SSRF)	ach	High	2021-02-15
Lack of rate limitation on careers site allows the attacker to brute force the verification code	Brute Force	iambouali	High	2021-02-11
[CSRF] TikTok Careers Portal Account Takeover	Cross-Site Request Forgery (CSRF)	lauritz	High	2020-12-15
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration	Cross-site Scripting (XSS) - Reflected	milly	High	2020-11-19
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration	Cross-site Scripting (XSS) - Reflected	milly	High	2020-11-19
CSRF To Add New App In Developer Account And Bypassing Json Format	Cross-Site Request Forgery (CSRF)	sniper302	Medium	2020-11-07
Bypass "Industry Documents" Validation	Improper Access Control - Generic	gnux	Low	2020-10-29

BugBountyHunter

TikTok Program Statistics

Disclosed Reports