Skip to content

Latest commit

 

History

History
94 lines (93 loc) · 11.4 KB

TOPTIKTOK.md

File metadata and controls

94 lines (93 loc) · 11.4 KB
Raw

Top reports from TikTok program at HackerOne:

  1. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 449 upvotes, $3860
  2. Multiple bugs leads to RCE on TikTok for Android to TikTok - 361 upvotes, $11214
  3. [CSRF] TikTok Careers Portal Account Takeover to TikTok - 346 upvotes, $2373
  4. Reflected XSS in TikTok endpoints to TikTok - 344 upvotes, $4500
  5. RCE on TikTok Ads Portal to TikTok - 302 upvotes, $12582
  6. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 201 upvotes, $15000
  7. Blocked user can see live video to TikTok - 195 upvotes, $418
  8. IDOR delete any Tickets on ads.tiktok.com to TikTok - 193 upvotes, $5000
  9. Stored XSS on TikTok Ads to TikTok - 188 upvotes, $2500
  10. TikTok 2FA Bypass to TikTok - 172 upvotes, $1564
  11. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 138 upvotes, $2727
  12. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 108 upvotes, $6000
  13. Lack of rate limitation on careers site allows the attacker to brute force the verification code to TikTok - 99 upvotes, $3860
  14. DOM XSS on ads.tiktok.com to TikTok - 98 upvotes, $2500
  15. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 96 upvotes, $0
  16. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 94 upvotes, $2500
  17. Stored XSS on TikTok Live Form to TikTok - 92 upvotes, $1500
  18. HTML Injection on tiktoktutorials via firstName parameter to TikTok - 92 upvotes, $0
  19. IDOR for changing privacy settings on any memories to TikTok - 90 upvotes, $5500
  20. Multiple IDORs in family pairing api to TikTok - 87 upvotes, $7500
  21. IDOR on TikTok Ads Endpoint to TikTok - 87 upvotes, $2500
  22. Reflected XSS on TikTok Website to TikTok - 85 upvotes, $3000
  23. CSRF Account Takeover to TikTok - 81 upvotes, $2373
  24. Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 76 upvotes, $999
  25. XSS Payload on TikTok Seller Center endpoint to TikTok - 75 upvotes, $1000
  26. TikTok's pixel/sdk.js leaks current URL from websites using postMessage to TikTok - 73 upvotes, $1500
  27. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 73 upvotes, $999
  28. XSS on tiktok.com to TikTok - 71 upvotes, $2000
  29. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 69 upvotes, $2373
  30. CORS misconfiguration in TikTok ads portal to TikTok - 66 upvotes, $169
  31. BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS to TikTok - 65 upvotes, $500
  32. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 64 upvotes, $896
  33. Bypass SMS verification to delete TikTok account to TikTok - 61 upvotes, $200
  34. IDOR the ability to view support tickets of any user on seller platform to TikTok - 60 upvotes, $2500
  35. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 59 upvotes, $500
  36. Blocked user can send notification by liking the message due to Logical Bug to TikTok - 58 upvotes, $0
  37. XSS at TikTok Ads Endpoint to TikTok - 53 upvotes, $5000
  38. Broken Link on TikTokUS.Info to TikTok - 53 upvotes, $0
  39. IDOR on Tagged People to TikTok - 52 upvotes, $3000
  40. One Click Account Hijacking via Unvalidated Deeplink to TikTok - 50 upvotes, $10000
  41. HTML Injection via Email Share to TikTok - 50 upvotes, $500
  42. Privilege Escalation on TikTok for Business to TikTok - 48 upvotes, $2500
  43. Business Suite "Get Leads" Resulting in Revealing User Email & Phone to TikTok - 42 upvotes, $5500
  44. Stored XSS in the ticketing system to TikTok - 42 upvotes, $1000
  45. Bypass "Industry Documents" Validation to TikTok - 42 upvotes, $50
  46. Ability to change permissions across seller platform to TikTok - 40 upvotes, $5000
  47. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 40 upvotes, $1000
  48. Stored XSS Payload when sending videos to TikTok - 40 upvotes, $500
  49. bypass two-factor authentication in Android apps and web to TikTok - 38 upvotes, $1000
  50. View thumbnail of any private video (friends or followers only) of Private/Public account to TikTok - 38 upvotes, $500
  51. HTML Injection on Company Name on Email to TikTok - 37 upvotes, $79
  52. Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 36 upvotes, $0
  53. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 35 upvotes, $200
  54. HTML Injection through Account Name field on TikTok ads portal being rendered on emails to TikTok - 35 upvotes, $111
  55. Lack of session expiration after password reset on TikTok Careers Portal to TikTok - 34 upvotes, $50
  56. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 30 upvotes, $250
  57. Add products to any livestream. to TikTok - 28 upvotes, $3000
  58. Open Redirect TO Stealing aadvid to TikTok - 28 upvotes, $500
  59. CSRF in Changing User Verification Email to TikTok - 27 upvotes, $500
  60. IDOR in family pairing API to TikTok - 27 upvotes, $0
  61. HTML Injection via TikTok Ads Email Share to TikTok - 25 upvotes, $1000
  62. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $897
  63. IDOR on TikTok Seller to TikTok - 25 upvotes, $500
  64. Bypassing authorization of linked Instagram account to TikTok - 25 upvotes, $170
  65. TikTok Session Donation CSRF via QR code login to TikTok - 25 upvotes, $111
  66. Any user can vote on Friend Only video pull to TikTok - 23 upvotes, $500
  67. Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) to TikTok - 23 upvotes, $200
  68. TikTok Account Creation Date Information Disclosure to TikTok - 23 upvotes, $100
  69. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 22 upvotes, $1000
  70. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  71. Rate limiting on report video to TikTok - 21 upvotes, $111
  72. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 20 upvotes, $147
  73. Remotely Accessible Container Advisor exposed performance metrics and resource usage to TikTok - 20 upvotes, $100
  74. Clickjacking Vulnerability Can Leads To Delete Developer APP to TikTok - 19 upvotes, $500
  75. Blind SSRF in ads.tiktok.com to TikTok - 19 upvotes, $150
  76. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $1000
  77. CORS bypass on TikTok Ads Endpoint to TikTok - 17 upvotes, $257
  78. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $897
  79. IDOR in report download functionality on ads.tiktok.com to TikTok - 16 upvotes, $500
  80. Information Disclosure of Advertiser Account on TikTok Ads Portal to TikTok - 16 upvotes, $257
  81. Create product discounts of any shop to TikTok - 15 upvotes, $4500
  82. disclosure the live_analytics information of any livestream. to TikTok - 14 upvotes, $1000
  83. CSRF for deleting videos to TikTok - 14 upvotes, $551
  84. User Able to Reopen a Ticket by Modify the Request to TikTok - 14 upvotes, $169
  85. URL Scheme misconfiguration on TikTok for IOS to TikTok - 12 upvotes, $500
  86. Email address disclosure via invite token validatiion to TikTok - 10 upvotes, $250
  87. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 10 upvotes, $200
  88. Information Disclosure on TikTok Unplugged Site to TikTok - 10 upvotes, $0
  89. Impersonation of tiktok account via Broken Link in TikTok Newsroom to TikTok - 8 upvotes, $0
  90. Improper user validation on mentions and hashtags to TikTok - 7 upvotes, $150
  91. Clickjacking Vulnerability In Whole Page Ads Tiktok to TikTok - 5 upvotes, $500
  92. Instance Page DOS within Organization on TikTok Ads to TikTok - 3 upvotes, $200