Reports in tiktok program: S.No Title Bounty 1 Incorrect authorization to the intelbot service leading to ticket information $15000.0 2 Account Takeover via Authentication Bypass in TikTok Account Recovery $12000.0 3 Reflected XSS on Pangle Endpoint $5000.0 4 1 Click to 'Close Account and Refund' via POSTMESSAGE $4500.0 5 Reflected XSS on TikTok Website $3000.0 6 External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing $2727.0 7 IDOR the ability to view support tickets of any user on seller platform $2500.0 8 DOM XSS on ads.tiktok.com $2500.0 9 Stored XSS on TikTok Ads $2500.0 10 IDOR on TikTok Ads Endpoint $2500.0 11 CSRF protection bypass on TikTok Webcast Endpoints $2500.0 12 Stored XSS on TikTok Live Form $1500.0 13 CSRF on TikTok Ads Portal $1000.0 14 XSS Payload on TikTok Seller Center endpoint $1000.0 15 Internal Employee informations Disclosure via TikTok Athena api $1000.0 16 Stored XSS in the ticketing system $1000.0 17 Dom XSS and open redirect in TikTok seller endpoint $1000.0 18 Stored XSS Via Ads Account Name $1000.0 19 Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products $1000.0 20 BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS $500.0 21 Cross site scripting via file upload in subdomain ads.tiktok.com $500.0 22 URL Scheme misconfiguration on TikTok for IOS $500.0 23 Clickjacking Vulnerability Can Leads To Delete Developer APP $500.0 24 Clickjacking Vulnerability In Whole Page Ads Tiktok $500.0 25 IDOR in report download functionality on ads.tiktok.com $500.0 26 IDOR on TikTok Seller $500.0 27 CSRF in Changing User Verification Email $500.0 28 Stored XSS Payload when sending videos $500.0 29 Blocked user can see live video $418.0 30 CORS bypass on TikTok Ads Endpoint $257.0 31 Email address disclosure via invite token validatiion $250.0 32 Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com $250.0 33 HTML Injection on TikTok Ads $250.0 34 CSRF To Add New App In Developer Account And Bypassing Json Format $200.0 35 Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) $200.0 36 Bypassing authorization of linked Instagram account $170.0 37 User Able to Reopen a Ticket by Modify the Request $169.0 38 Improper user validation on mentions and hashtags $150.0 39 User In The Same Center Can Create CSRF To Change The Information About Business $147.0 40 TikTok Account Creation Date Information Disclosure $100.0 41 Remotely Accessible Container Advisor exposed performance metrics and resource usage $100.0 42 HTML Injection on Company Name on Email $79.0 43 Bypass "Industry Documents" Validation $50.0 44 Lack of session expiration after password reset on TikTok Careers Portal $50.0 45 Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration $0.0 46 [CSRF] TikTok Careers Portal Account Takeover $0.0 47 Blind SSRF in ads.tiktok.com $0.0 48 Multiple Cross-Site Scripting vulnerability via the language parameter $0.0 49 Bypass SMS verification to delete TikTok account $0.0 50 CSRF for deleting videos $0.0 51 Cross Site Scripting using Email parameter in Ads endpoint 1 $0.0 52 CORS misconfiguration in TikTok ads portal $0.0 53 Cross Site Scripting using Email parameter in Ads endpoint 2 $0.0 54 Open Redirect Vulnerability on TikTok Ads Portal $0.0 55 Information Disclosure of Advertiser Account on TikTok Ads Portal $0.0 56 Rate limiting on report video $0.0 57 Lack of rate limitation on careers site allows the attacker to brute force the verification code $0.0 58 Multiple bugs leads to RCE on TikTok for Android $0.0 59 HTML Injection through Account Name field on TikTok ads portal being rendered on emails $0.0 60 Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform $0.0 61 RCE on TikTok Ads Portal $0.0 62 TikTok Session Donation CSRF via QR code login $0.0 63 Blocked user can send notification by liking the message due to Logical Bug $0.0 64 Information Disclosure on TikTok Unplugged Site $0.0 65 Broken Link on TikTokUS.Info $0.0 66 Reflected XSS in TikTok endpoints $0.0 67 XSS on tiktok.com $0.0 68 HTML Injection on tiktoktutorials via firstName parameter $0.0 69 reflected xss on the path m.tiktok.com $0.0 70 Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field $0.0 71 Multiple vulnerability leading to account takeover in TikTok SMB subdomain. $0.0 72 Reflected xss on ads.tiktok.com using from parameter. $0.0 73 Open Redirect TO Stealing aadvid $0.0 74 IDOR delete any Tickets on ads.tiktok.com $0.0 75 Instance Page DOS within Organization on TikTok Ads $0.0 76 Impersonation of tiktok account via Broken Link in TikTok Newsroom $0.0 77 Information Leakage via TikTok Ads Web Cache Deception $0.0 78 One Click Account Hijacking via Unvalidated Deeplink $0.0 79 Multiple IDORs in family pairing api $0.0 80 Privilege Escalation on TikTok for Business $0.0 81 XSS and iframe injection on tiktok ads portal using redirect params $0.0 82 disclosure the live_analytics information of any livestream. $0.0 83 HTML Injection via Email Share $0.0 84 HTML Injection via TikTok Ads Email Share $0.0 85 CSRF Account Takeover $0.0 86 TikTok's pixel/sdk.js leaks current URL from websites using postMessage $0.0 87 IDOR on Tagged People $0.0 88 Create product discounts of any shop $0.0 89 Add products to any livestream. $0.0 90 Business Suite "Get Leads" Resulting in Revealing User Email & Phone $0.0 91 Ability to change permissions across seller platform $0.0 92 bypass two-factor authentication in Android apps and web $0.0 93 Any user can vote on Friend Only video pull $0.0 94 XSS at TikTok Ads Endpoint $0.0 95 IDOR for changing privacy settings on any memories $0.0 96 TikTok 2FA Bypass $0.0 97 View thumbnail of any private video (friends or followers only) of Private/Public account $0.0 98 Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload $0.0 99 Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ $0.0 100 IDOR in family pairing API $0.0 101 CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login $0.0 102 CRLF to XSS & Open Redirection $0.0 103 CRLF injection leads to internal XSS on PangleGlobal $0.0 104 RXSS via region parameter $0.0 105 RXSS on TikTok endpoints $0.0 106 Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd] $0.0 107 Multiple Open Redirect on TikTok domains $0.0 108 Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known $0.0 109 Lynxview JS interfaces Takeover via deeplink traversal $0.0 110 Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification $0.0 111 DOM XSS in tiktok.com/login via the redirect_url parameter $0.0 112 Stored-XSS-ads.tiktok.com $0.0