Skip to content

Latest commit

 

History

History
114 lines (113 loc) · 13.8 KB

TOPTIKTOK.md

File metadata and controls

114 lines (113 loc) · 13.8 KB

Top reports from TikTok program at HackerOne:

  1. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 457 upvotes, $0
  2. Multiple bugs leads to RCE on TikTok for Android to TikTok - 364 upvotes, $0
  3. [CSRF] TikTok Careers Portal Account Takeover to TikTok - 356 upvotes, $0
  4. Reflected XSS in TikTok endpoints to TikTok - 350 upvotes, $0
  5. RCE on TikTok Ads Portal to TikTok - 307 upvotes, $0
  6. Stored-XSS-ads.tiktok.com to TikTok - 300 upvotes, $0
  7. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 209 upvotes, $15000
  8. IDOR delete any Tickets on ads.tiktok.com to TikTok - 203 upvotes, $0
  9. Blocked user can see live video to TikTok - 196 upvotes, $418
  10. Stored XSS on TikTok Ads to TikTok - 194 upvotes, $2500
  11. TikTok 2FA Bypass to TikTok - 186 upvotes, $0
  12. Reflected XSS on Pangle Endpoint to TikTok - 168 upvotes, $5000
  13. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 148 upvotes, $2727
  14. HTML Injection on TikTok Ads to TikTok - 144 upvotes, $250
  15. Account Takeover via Authentication Bypass in TikTok Account Recovery to TikTok - 132 upvotes, $12000
  16. Unauthorized Access to TikTok Account [Private Videos] via API Endpoint to TikTok - 127 upvotes, $0
  17. DOM XSS in tiktok.com/login via the redirect_url parameter to TikTok - 122 upvotes, $0
  18. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 119 upvotes, $0
  19. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 110 upvotes, $0
  20. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 107 upvotes, $0
  21. IDOR for changing privacy settings on any memories to TikTok - 106 upvotes, $0
  22. Lack of rate limitation on careers site allows the attacker to brute force the verification code to TikTok - 103 upvotes, $0
  23. DOM XSS on ads.tiktok.com to TikTok - 101 upvotes, $2500
  24. Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products to TikTok - 101 upvotes, $1000
  25. Lynxview JS interfaces Takeover via deeplink traversal to TikTok - 101 upvotes, $0
  26. IDOR on TikTok Ads Endpoint to TikTok - 99 upvotes, $2500
  27. Multiple IDORs in family pairing api to TikTok - 97 upvotes, $0
  28. CRLF to XSS & Open Redirection to TikTok - 94 upvotes, $0
  29. CRLF injection leads to internal XSS on PangleGlobal to TikTok - 94 upvotes, $0
  30. Stored XSS on TikTok Live Form to TikTok - 93 upvotes, $1500
  31. HTML Injection on tiktoktutorials via firstName parameter to TikTok - 93 upvotes, $0
  32. CSRF Account Takeover to TikTok - 87 upvotes, $0
  33. Reflected XSS on TikTok Website to TikTok - 86 upvotes, $3000
  34. Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known to TikTok - 83 upvotes, $0
  35. Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 82 upvotes, $0
  36. XSS Payload on TikTok Seller Center endpoint to TikTok - 77 upvotes, $1000
  37. TikTok's pixel/sdk.js leaks current URL from websites using postMessage to TikTok - 77 upvotes, $0
  38. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 75 upvotes, $0
  39. Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification to TikTok - 75 upvotes, $0
  40. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 74 upvotes, $0
  41. Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd] to TikTok - 74 upvotes, $0
  42. CSRF protection bypass on TikTok Webcast Endpoints to TikTok - 73 upvotes, $2500
  43. XSS on tiktok.com to TikTok - 72 upvotes, $0
  44. 1 Click to 'Close Account and Refund' via POSTMESSAGE to TikTok - 71 upvotes, $4500
  45. IDOR the ability to view support tickets of any user on seller platform to TikTok - 67 upvotes, $2500
  46. BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS to TikTok - 67 upvotes, $500
  47. CORS misconfiguration in TikTok ads portal to TikTok - 67 upvotes, $0
  48. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 65 upvotes, $0
  49. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 63 upvotes, $500
  50. Bypass SMS verification to delete TikTok account to TikTok - 63 upvotes, $0
  51. CSRF in ticket function to TikTok - 62 upvotes, $0
  52. Blocked user can send notification by liking the message due to Logical Bug to TikTok - 59 upvotes, $0
  53. One Click Account Hijacking via Unvalidated Deeplink to TikTok - 58 upvotes, $0
  54. IDOR on Tagged People to TikTok - 58 upvotes, $0
  55. XSS at TikTok Ads Endpoint to TikTok - 58 upvotes, $0
  56. RXSS on TikTok endpoints to TikTok - 58 upvotes, $0
  57. Broken Link on TikTokUS.Info to TikTok - 55 upvotes, $0
  58. Privilege Escalation on TikTok for Business to TikTok - 55 upvotes, $0
  59. HTML Injection via Email Share to TikTok - 52 upvotes, $0
  60. Multiple Open Redirect on TikTok domains to TikTok - 51 upvotes, $0
  61. Stored XSS in the ticketing system to TikTok - 46 upvotes, $1000
  62. Business Suite "Get Leads" Resulting in Revealing User Email & Phone to TikTok - 46 upvotes, $0
  63. bypass two-factor authentication in Android apps and web to TikTok - 46 upvotes, $0
  64. Bypass "Industry Documents" Validation to TikTok - 43 upvotes, $50
  65. Ability to change permissions across seller platform to TikTok - 43 upvotes, $0
  66. RXSS via region parameter to TikTok - 43 upvotes, $0
  67. Stored XSS Payload when sending videos to TikTok - 42 upvotes, $500
  68. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 41 upvotes, $0
  69. View thumbnail of any private video (friends or followers only) of Private/Public account to TikTok - 40 upvotes, $0
  70. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 37 upvotes, $200
  71. HTML Injection on Company Name on Email to TikTok - 37 upvotes, $79
  72. Lack of session expiration after password reset on TikTok Careers Portal to TikTok - 37 upvotes, $50
  73. Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 37 upvotes, $0
  74. HTML Injection through Account Name field on TikTok ads portal being rendered on emails to TikTok - 36 upvotes, $0
  75. IDOR in family pairing API to TikTok - 36 upvotes, $0
  76. CSRF in Changing User Verification Email to TikTok - 33 upvotes, $500
  77. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 33 upvotes, $250
  78. CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login to TikTok - 33 upvotes, $0
  79. Add products to any livestream. to TikTok - 32 upvotes, $0
  80. Open Redirect TO Stealing aadvid to TikTok - 31 upvotes, $0
  81. Bypassing authorization of linked Instagram account to TikTok - 30 upvotes, $170
  82. IDOR on TikTok Seller to TikTok - 29 upvotes, $500
  83. TikTok Account Creation Date Information Disclosure to TikTok - 27 upvotes, $100
  84. TikTok Session Donation CSRF via QR code login to TikTok - 27 upvotes, $0
  85. HTML Injection via TikTok Ads Email Share to TikTok - 27 upvotes, $0
  86. Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) to TikTok - 26 upvotes, $200
  87. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 25 upvotes, $1000
  88. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $0
  89. Any user can vote on Friend Only video pull to TikTok - 25 upvotes, $0
  90. Clickjacking Vulnerability Can Leads To Delete Developer APP to TikTok - 24 upvotes, $500
  91. Remotely Accessible Container Advisor exposed performance metrics and resource usage to TikTok - 23 upvotes, $100
  92. Rate limiting on report video to TikTok - 22 upvotes, $0
  93. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  94. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 21 upvotes, $147
  95. Blind SSRF in ads.tiktok.com to TikTok - 21 upvotes, $0
  96. IDOR in report download functionality on ads.tiktok.com to TikTok - 20 upvotes, $500
  97. CORS bypass on TikTok Ads Endpoint to TikTok - 18 upvotes, $257
  98. Information Disclosure of Advertiser Account on TikTok Ads Portal to TikTok - 18 upvotes, $0
  99. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
  100. Create product discounts of any shop to TikTok - 18 upvotes, $0
  101. User Able to Reopen a Ticket by Modify the Request to TikTok - 16 upvotes, $169
  102. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $0
  103. disclosure the live_analytics information of any livestream. to TikTok - 15 upvotes, $0
  104. URL Scheme misconfiguration on TikTok for IOS to TikTok - 14 upvotes, $500
  105. Improper user validation on mentions and hashtags to TikTok - 14 upvotes, $150
  106. CSRF for deleting videos to TikTok - 14 upvotes, $0
  107. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 12 upvotes, $0
  108. Email address disclosure via invite token validatiion to TikTok - 11 upvotes, $250
  109. Information Disclosure on TikTok Unplugged Site to TikTok - 11 upvotes, $0
  110. Impersonation of tiktok account via Broken Link in TikTok Newsroom to TikTok - 10 upvotes, $0
  111. Clickjacking Vulnerability In Whole Page Ads Tiktok to TikTok - 7 upvotes, $500
  112. Instance Page DOS within Organization on TikTok Ads to TikTok - 3 upvotes, $0