Skip to content

Latest commit

 

History

History
115 lines (114 loc) · 13.9 KB

TOPTIKTOK.md

File metadata and controls

115 lines (114 loc) · 13.9 KB

Top reports from TikTok program at HackerOne:

  1. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 459 upvotes, $0
  2. Multiple bugs leads to RCE on TikTok for Android to TikTok - 364 upvotes, $0
  3. [CSRF] TikTok Careers Portal Account Takeover to TikTok - 357 upvotes, $0
  4. Reflected XSS in TikTok endpoints to TikTok - 350 upvotes, $0
  5. RCE on TikTok Ads Portal to TikTok - 307 upvotes, $0
  6. Stored-XSS-ads.tiktok.com to TikTok - 301 upvotes, $0
  7. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 209 upvotes, $15000
  8. IDOR delete any Tickets on ads.tiktok.com to TikTok - 206 upvotes, $0
  9. Blocked user can see live video to TikTok - 196 upvotes, $418
  10. Stored XSS on TikTok Ads to TikTok - 195 upvotes, $2500
  11. TikTok 2FA Bypass to TikTok - 186 upvotes, $0
  12. Reflected XSS on Pangle Endpoint to TikTok - 170 upvotes, $5000
  13. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 148 upvotes, $2727
  14. HTML Injection on TikTok Ads to TikTok - 145 upvotes, $250
  15. Unauthorized Access to TikTok Account [Private Videos] via API Endpoint to TikTok - 145 upvotes, $0
  16. Account Takeover via Authentication Bypass in TikTok Account Recovery to TikTok - 138 upvotes, $12000
  17. DOM XSS in tiktok.com/login via the redirect_url parameter to TikTok - 127 upvotes, $0
  18. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 119 upvotes, $0
  19. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 110 upvotes, $0
  20. IDOR for changing privacy settings on any memories to TikTok - 109 upvotes, $0
  21. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 107 upvotes, $0
  22. Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products to TikTok - 104 upvotes, $1000
  23. Lack of rate limitation on careers site allows the attacker to brute force the verification code to TikTok - 103 upvotes, $0
  24. DOM XSS on ads.tiktok.com to TikTok - 102 upvotes, $2500
  25. IDOR on TikTok Ads Endpoint to TikTok - 102 upvotes, $2500
  26. Lynxview JS interfaces Takeover via deeplink traversal to TikTok - 101 upvotes, $0
  27. Multiple IDORs in family pairing api to TikTok - 98 upvotes, $0
  28. HTML Injection on tiktoktutorials via firstName parameter to TikTok - 94 upvotes, $0
  29. CRLF to XSS & Open Redirection to TikTok - 94 upvotes, $0
  30. CRLF injection leads to internal XSS on PangleGlobal to TikTok - 94 upvotes, $0
  31. Stored XSS on TikTok Live Form to TikTok - 93 upvotes, $1500
  32. IDOR on ads.tiktok.com Allows Unauthorized Product Addition to TikTok - 88 upvotes, $500
  33. Reflected XSS on TikTok Website to TikTok - 87 upvotes, $3000
  34. CSRF Account Takeover to TikTok - 87 upvotes, $0
  35. Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 83 upvotes, $0
  36. Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known to TikTok - 83 upvotes, $0
  37. XSS Payload on TikTok Seller Center endpoint to TikTok - 77 upvotes, $1000
  38. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 77 upvotes, $0
  39. TikTok's pixel/sdk.js leaks current URL from websites using postMessage to TikTok - 77 upvotes, $0
  40. Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification to TikTok - 77 upvotes, $0
  41. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 74 upvotes, $0
  42. Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd] to TikTok - 74 upvotes, $0
  43. 1 Click to 'Close Account and Refund' via POSTMESSAGE to TikTok - 73 upvotes, $4500
  44. CSRF protection bypass on TikTok Webcast Endpoints to TikTok - 73 upvotes, $2500
  45. XSS on tiktok.com to TikTok - 72 upvotes, $0
  46. IDOR the ability to view support tickets of any user on seller platform to TikTok - 70 upvotes, $2500
  47. BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS to TikTok - 67 upvotes, $500
  48. CORS misconfiguration in TikTok ads portal to TikTok - 67 upvotes, $0
  49. CSRF in ticket function to TikTok - 66 upvotes, $0
  50. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 65 upvotes, $0
  51. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 63 upvotes, $500
  52. Bypass SMS verification to delete TikTok account to TikTok - 63 upvotes, $0
  53. Blocked user can send notification by liking the message due to Logical Bug to TikTok - 59 upvotes, $0
  54. One Click Account Hijacking via Unvalidated Deeplink to TikTok - 59 upvotes, $0
  55. IDOR on Tagged People to TikTok - 59 upvotes, $0
  56. XSS at TikTok Ads Endpoint to TikTok - 59 upvotes, $0
  57. RXSS on TikTok endpoints to TikTok - 58 upvotes, $0
  58. Privilege Escalation on TikTok for Business to TikTok - 57 upvotes, $0
  59. Broken Link on TikTokUS.Info to TikTok - 55 upvotes, $0
  60. HTML Injection via Email Share to TikTok - 52 upvotes, $0
  61. Multiple Open Redirect on TikTok domains to TikTok - 52 upvotes, $0
  62. Business Suite "Get Leads" Resulting in Revealing User Email & Phone to TikTok - 47 upvotes, $0
  63. bypass two-factor authentication in Android apps and web to TikTok - 47 upvotes, $0
  64. Stored XSS in the ticketing system to TikTok - 46 upvotes, $1000
  65. Ability to change permissions across seller platform to TikTok - 45 upvotes, $0
  66. RXSS via region parameter to TikTok - 44 upvotes, $0
  67. Stored XSS Payload when sending videos to TikTok - 43 upvotes, $500
  68. Bypass "Industry Documents" Validation to TikTok - 43 upvotes, $50
  69. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 43 upvotes, $0
  70. View thumbnail of any private video (friends or followers only) of Private/Public account to TikTok - 40 upvotes, $0
  71. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 37 upvotes, $200
  72. HTML Injection on Company Name on Email to TikTok - 37 upvotes, $79
  73. Lack of session expiration after password reset on TikTok Careers Portal to TikTok - 37 upvotes, $50
  74. Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 37 upvotes, $0
  75. HTML Injection through Account Name field on TikTok ads portal being rendered on emails to TikTok - 36 upvotes, $0
  76. IDOR in family pairing API to TikTok - 36 upvotes, $0
  77. CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login to TikTok - 34 upvotes, $0
  78. CSRF in Changing User Verification Email to TikTok - 33 upvotes, $500
  79. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 33 upvotes, $250
  80. Add products to any livestream. to TikTok - 32 upvotes, $0
  81. Open Redirect TO Stealing aadvid to TikTok - 31 upvotes, $0
  82. Bypassing authorization of linked Instagram account to TikTok - 30 upvotes, $170
  83. IDOR on TikTok Seller to TikTok - 29 upvotes, $500
  84. TikTok Account Creation Date Information Disclosure to TikTok - 28 upvotes, $100
  85. HTML Injection via TikTok Ads Email Share to TikTok - 28 upvotes, $0
  86. Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) to TikTok - 27 upvotes, $200
  87. TikTok Session Donation CSRF via QR code login to TikTok - 27 upvotes, $0
  88. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 26 upvotes, $1000
  89. Clickjacking Vulnerability Can Leads To Delete Developer APP to TikTok - 25 upvotes, $500
  90. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $0
  91. Any user can vote on Friend Only video pull to TikTok - 25 upvotes, $0
  92. Remotely Accessible Container Advisor exposed performance metrics and resource usage to TikTok - 24 upvotes, $100
  93. Rate limiting on report video to TikTok - 22 upvotes, $0
  94. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  95. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 21 upvotes, $147
  96. Blind SSRF in ads.tiktok.com to TikTok - 21 upvotes, $0
  97. IDOR in report download functionality on ads.tiktok.com to TikTok - 20 upvotes, $500
  98. CORS bypass on TikTok Ads Endpoint to TikTok - 18 upvotes, $257
  99. Information Disclosure of Advertiser Account on TikTok Ads Portal to TikTok - 18 upvotes, $0
  100. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
  101. Create product discounts of any shop to TikTok - 18 upvotes, $0
  102. User Able to Reopen a Ticket by Modify the Request to TikTok - 16 upvotes, $169
  103. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $0
  104. URL Scheme misconfiguration on TikTok for IOS to TikTok - 15 upvotes, $500
  105. disclosure the live_analytics information of any livestream. to TikTok - 15 upvotes, $0
  106. Improper user validation on mentions and hashtags to TikTok - 14 upvotes, $150
  107. CSRF for deleting videos to TikTok - 14 upvotes, $0
  108. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 13 upvotes, $0
  109. Email address disclosure via invite token validatiion to TikTok - 11 upvotes, $250
  110. Information Disclosure on TikTok Unplugged Site to TikTok - 11 upvotes, $0
  111. Impersonation of tiktok account via Broken Link in TikTok Newsroom to TikTok - 10 upvotes, $0
  112. Clickjacking Vulnerability In Whole Page Ads Tiktok to TikTok - 7 upvotes, $500
  113. Instance Page DOS within Organization on TikTok Ads to TikTok - 3 upvotes, $0