TikTok Program Statistics

View program

106 total issues disclosed

$105,302 total paid publicly

Most disclosed (17 disclosures) — Insecure Direct Object Reference (IDOR)

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities Privilege Escalation eneri Medium 2025-09-11
Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers). Cross-site Scripting (XSS) - Stored ahmed_xyz Medium 2025-09-11
Chain Vulnerability lead to Full Control Group Live Accounts & Undeletable Creator Privilege Escalation eneri Medium 2025-07-08
Unauthorized Access to Private Video Description via Translation API for Private Accounts Insecure Direct Object Reference (IDOR) z3phyrus Low 2025-06-27
IDOR on ads.tiktok.com Allows Unauthorized Product Addition Insecure Direct Object Reference (IDOR) p_oria Low 2025-02-20
Unauthorized Access to TikTok Account [Private Videos] via API Endpoint Insecure Direct Object Reference (IDOR) datph4m Medium 2025-01-24
CSRF in ticket function Cross-Site Request Forgery (CSRF) ibrahim0936356 Medium 2024-11-05
Stored-XSS-ads.tiktok.com Cross-site Scripting (XSS) - Stored ahmed_xyz Low 2024-10-02
DOM XSS in tiktok.com/login via the redirect_url parameter Cross-site Scripting (XSS) - DOM sh1yo High 2024-09-21
Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products Business Logic Errors 696e746c6f6c Medium 2024-07-19
Account Takeover via Authentication Bypass in TikTok Account Recovery Authentication Bypass Using an Alternate Path or Channel fl4w Critical 2024-07-13
Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification Improper Access Control - Generic zhyar_11011 Low 2024-07-03
Lynxview JS interfaces Takeover via deeplink traversal Cross-site Scripting (XSS) - DOM fr4via High 2024-05-24
Reflected XSS on Pangle Endpoint Cross-site Scripting (XSS) - Reflected 3x3_ High 2024-04-05
Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known Information Disclosure dxcoder Medium 2024-04-03
HTML Injection on TikTok Ads Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) a77w3 Low 2024-02-20
Multiple Open Redirect on TikTok domains Improper Access Control - Generic ashrafabdelrazik Low 2024-02-16
Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd] Cross-site Scripting (XSS) - Reflected ashrafabdelrazik Medium 2024-01-12
RXSS on TikTok endpoints Cross-site Scripting (XSS) - Reflected ashrafabdelrazik Medium 2024-01-09
RXSS via region parameter Cross-site Scripting (XSS) - Reflected ashrafabdelrazik Medium 2024-01-09
1 Click to 'Close Account and Refund' via POSTMESSAGE Improper Access Control - Generic sinayeganeh Medium 2024-01-03
CRLF injection leads to internal XSS on PangleGlobal CRLF Injection serverinspector Medium 2023-10-31
Stored XSS Via Ads Account Name Cross-site Scripting (XSS) - Stored rioncool22 Medium 2023-09-12
CRLF to XSS & Open Redirection Cross-site Scripting (XSS) - Reflected ashrafabdelrazik High 2023-08-16
Dom XSS and open redirect in TikTok seller endpoint Cross-site Scripting (XSS) - DOM 7hamoody1 Medium 2023-08-07
CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login Cross-Site Request Forgery (CSRF) eye_ Medium 2023-07-26
CSRF protection bypass on TikTok Webcast Endpoints Cross-Site Request Forgery (CSRF) zerody Medium 2023-07-12
Improper user validation on mentions and hashtags Improper Input Validation rektile404 Low 2023-06-22
IDOR in family pairing API Insecure Direct Object Reference (IDOR) ahmedna126 Low 2023-06-02
Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ Cross-site Scripting (XSS) - Reflected mrhavit High 2023-06-02
Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload Unrestricted Upload of File with Dangerous Type h4x0r_dz Medium 2023-04-12
View thumbnail of any private video (friends or followers only) of Private/Public account Privacy Violation amans Low 2023-02-17
TikTok 2FA Bypass Improper Authorization amans Medium 2023-02-03
IDOR for changing privacy settings on any memories Insecure Direct Object Reference (IDOR) mrhavit High 2023-01-27
XSS at TikTok Ads Endpoint Cross-site Scripting (XSS) - Reflected s3c High 2023-01-27
Any user can vote on `Friend Only` video pull Improper Authorization mrhavit Low 2023-01-27
bypass two-factor authentication in Android apps and web Authentication Bypass Using an Alternate Path or Channel lu3ky-13 Medium 2023-01-09
Ability to change permissions across seller platform Improper Access Control - Generic imran_nisar Medium 2022-12-06
Stored XSS Payload when sending videos Cross-site Scripting (XSS) - Stored find_me_here Low 2022-11-29
Business Suite "Get Leads" Resulting in Revealing User Email & Phone Insecure Direct Object Reference (IDOR) datph4m High 2022-11-10
Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) Privilege Escalation daik0n Low 2022-11-07
Remotely Accessible Container Advisor exposed performance metrics and resource usage Information Disclosure tw4v3sx Low 2022-10-24
TikTok Account Creation Date Information Disclosure Privacy Violation f15 Low 2022-10-18
Stored XSS in the ticketing system Cross-site Scripting (XSS) - Stored codeslayer1337 Medium 2022-10-10
Bypassing authorization of linked Instagram account Missing Authorization ckerha Low 2022-09-30
Add products to any livestream. Insecure Direct Object Reference (IDOR) datph4m Medium 2022-09-21
Create product discounts of any shop Insecure Direct Object Reference (IDOR) datph4m Medium 2022-09-21
IDOR on Tagged People Insecure Direct Object Reference (IDOR) apapedulimu Medium 2022-09-20
CSRF in Changing User Verification Email Cross-Site Request Forgery (CSRF) f_m Low 2022-09-13
IDOR on TikTok Ads Endpoint Insecure Direct Object Reference (IDOR) sinayeganeh Medium 2022-09-01
TikTok's pixel/sdk.js leaks current URL from websites using postMessage Improper Authorization fransrosen Medium 2022-08-30
Stored XSS on TikTok Ads Cross-site Scripting (XSS) - DOM sinayeganeh Medium 2022-08-19
IDOR on TikTok Seller Insecure Direct Object Reference (IDOR) find_me_here Low 2022-08-16
CSRF Account Takeover Cross-Site Request Forgery (CSRF) s3c High 2022-08-16
Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com Cross-site Scripting (XSS) - Stored mrzheev Low 2022-08-04
HTML Injection via TikTok Ads Email Share Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) lu3ky-13 Medium 2022-07-28
HTML Injection via Email Share Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) lu3ky-13 Low 2022-07-27
IDOR in report download functionality on ads.tiktok.com Insecure Direct Object Reference (IDOR) f_m Low 2022-07-22
DOM XSS on ads.tiktok.com Cross-site Scripting (XSS) - DOM 0x7 Medium 2022-07-20
Internal Employee informations Disclosure via TikTok Athena api Information Disclosure ht0x0 Medium 2022-07-20
Clickjacking Vulnerability In Whole Page Ads Tiktok UI Redressing (Clickjacking) rioncool22 Low 2022-07-07
XSS Payload on TikTok Seller Center endpoint Cross-site Scripting (XSS) - Stored find_me_here Medium 2022-06-29
Stored XSS on TikTok Live Form Cross-site Scripting (XSS) - Stored find_me_here Medium 2022-06-16
disclosure the live_analytics information of any livestream. Information Disclosure datph4m Medium 2022-06-11
Email address disclosure via invite token validatiion Information Disclosure noob_but_cut3 Low 2022-06-11
XSS and iframe injection on tiktok ads portal using redirect params Cross-site Scripting (XSS) - Reflected cancerz Medium 2022-05-19
Privilege Escalation on TikTok for Business Insecure Direct Object Reference (IDOR) naaash Medium 2022-05-16
Multiple IDORs in family pairing api Insecure Direct Object Reference (IDOR) s3c High 2022-05-06
Clickjacking Vulnerability Can Leads To Delete Developer APP UI Redressing (Clickjacking) rioncool22 Low 2022-05-04
One Click Account Hijacking via Unvalidated Deeplink Forced Browsing fr4via High 2022-05-04
URL Scheme misconfiguration on TikTok for IOS Cross-Site Request Forgery (CSRF) joemcdonald23 Low 2022-05-04
Reflected XSS on TikTok Website Cross-site Scripting (XSS) - Reflected homosec Medium 2022-04-13
Information Leakage via TikTok Ads Web Cache Deception Misconfiguration bobo_ka Low 2022-03-31
Impersonation of tiktok account via Broken Link in TikTok Newsroom Phishing bushido-x No rating 2022-03-24
Instance Page DOS within Organization on TikTok Ads Uncontrolled Resource Consumption arsene_lupin Low 2022-03-17
IDOR delete any Tickets on ads.tiktok.com Insecure Direct Object Reference (IDOR) datph4m High 2022-03-02
Open Redirect TO Stealing aadvid Open Redirect lu3ky-13 Low 2022-03-02
Incorrect authorization to the intelbot service leading to ticket information Improper Authentication - Generic johnstone Critical 2022-02-23
Reflected xss on ads.tiktok.com using `from` parameter. Cross-site Scripting (XSS) - Reflected imran_nisar High 2022-02-09
Multiple vulnerability leading to account takeover in TikTok SMB subdomain. Business Logic Errors lu3ky-13 Critical 2022-02-02
Cross site scripting via file upload in subdomain ads.tiktok.com Cross-site Scripting (XSS) - Stored blubluuu Low 2022-01-25
Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field Cross-site Scripting (XSS) - Stored lu3ky-13 Medium 2022-01-20
IDOR the ability to view support tickets of any user on seller platform Insecure Direct Object Reference (IDOR) lewaperbb Medium 2021-12-03
reflected xss on the path m.tiktok.com Cross-site Scripting (XSS) - Reflected semsem123 Medium 2021-12-03
BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS Improper Access Control - Generic boynamedboy Medium 2021-11-18
HTML Injection on tiktoktutorials via firstName parameter Improper Input Validation sirat_ Low 2021-10-30
XSS on tiktok.com Cross-site Scripting (XSS) - Reflected arifmkhls Medium 2021-10-23
Reflected XSS in TikTok endpoints Cross-site Scripting (XSS) - Reflected sh1yo Medium 2021-10-22
Broken Link on TikTokUS.Info Violation of Secure Design Principles sirat_ Low 2021-10-01
Information Disclosure on TikTok Unplugged Site Information Disclosure nanwn Low 2021-08-13
Blocked user can send notification by liking the message due to Logical Bug Privacy Violation sandipgyawali Low 2021-07-10
TikTok Session Donation CSRF via QR code login Cross-Site Request Forgery (CSRF) lauritz Low 2021-06-17
Blocked user can see live video Privacy Violation sandipgyawali Medium 2021-05-28
CSRF on TikTok Ads Portal Cross-Site Request Forgery (CSRF) probatorem Medium 2021-05-26
RCE on TikTok Ads Portal Code Injection bubbounty Critical 2021-04-15
Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform Insecure Direct Object Reference (IDOR) bubbounty High 2021-04-02
HTML Injection through Account Name field on TikTok ads portal being rendered on emails Code Injection nagli Low 2021-03-19
Multiple bugs leads to RCE on TikTok for Android Improper Export of Android Application Components dphoeniixx Critical 2021-03-17
Lack of session expiration after password reset on TikTok Careers Portal Insufficient Session Expiration gnux Low 2021-03-03
External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing Server-Side Request Forgery (SSRF) ach High 2021-02-15
Lack of rate limitation on careers site allows the attacker to brute force the verification code Brute Force iambouali High 2021-02-11
[CSRF] TikTok Careers Portal Account Takeover Cross-Site Request Forgery (CSRF) lauritz High 2020-12-15
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration Cross-site Scripting (XSS) - Reflected milly High 2020-11-19
Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration Cross-site Scripting (XSS) - Reflected milly High 2020-11-19
CSRF To Add New App In Developer Account And Bypassing Json Format Cross-Site Request Forgery (CSRF) sniper302 Medium 2020-11-07
Bypass "Industry Documents" Validation Improper Access Control - Generic gnux Low 2020-10-29