Skip to content

Latest commit

 

History

History
113 lines (112 loc) · 13.6 KB

TOPTIKTOK.md

File metadata and controls

113 lines (112 loc) · 13.6 KB
Raw

Top reports from TikTok program at HackerOne:

  1. Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration to TikTok - 455 upvotes, $0
  2. Multiple bugs leads to RCE on TikTok for Android to TikTok - 363 upvotes, $0
  3. [CSRF] TikTok Careers Portal Account Takeover to TikTok - 353 upvotes, $0
  4. Reflected XSS in TikTok endpoints to TikTok - 349 upvotes, $0
  5. RCE on TikTok Ads Portal to TikTok - 306 upvotes, $0
  6. Stored-XSS-ads.tiktok.com to TikTok - 291 upvotes, $0
  7. Incorrect authorization to the intelbot service leading to ticket information to TikTok - 204 upvotes, $15000
  8. IDOR delete any Tickets on ads.tiktok.com to TikTok - 201 upvotes, $0
  9. Blocked user can see live video to TikTok - 195 upvotes, $418
  10. Stored XSS on TikTok Ads to TikTok - 193 upvotes, $2500
  11. TikTok 2FA Bypass to TikTok - 183 upvotes, $0
  12. Reflected XSS on Pangle Endpoint to TikTok - 162 upvotes, $5000
  13. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 148 upvotes, $2727
  14. HTML Injection on TikTok Ads to TikTok - 139 upvotes, $250
  15. Reflected Cross-site Scripting (XSS) at https://www.tiktok.com/ to TikTok - 119 upvotes, $0
  16. DOM XSS in tiktok.com/login via the redirect_url parameter to TikTok - 117 upvotes, $0
  17. Account Takeover via Authentication Bypass in TikTok Account Recovery to TikTok - 112 upvotes, $12000
  18. Reflected xss on ads.tiktok.com using from parameter. to TikTok - 110 upvotes, $0
  19. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 106 upvotes, $0
  20. Lack of rate limitation on careers site allows the attacker to brute force the verification code to TikTok - 101 upvotes, $0
  21. IDOR for changing privacy settings on any memories to TikTok - 101 upvotes, $0
  22. Lynxview JS interfaces Takeover via deeplink traversal to TikTok - 100 upvotes, $0
  23. DOM XSS on ads.tiktok.com to TikTok - 99 upvotes, $2500
  24. IDOR on TikTok Ads Endpoint to TikTok - 96 upvotes, $2500
  25. Multiple IDORs in family pairing api to TikTok - 95 upvotes, $0
  26. Stored XSS on TikTok Live Form to TikTok - 93 upvotes, $1500
  27. HTML Injection on tiktoktutorials via firstName parameter to TikTok - 93 upvotes, $0
  28. Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products to TikTok - 93 upvotes, $0
  29. CRLF injection leads to internal XSS on PangleGlobal to TikTok - 92 upvotes, $0
  30. CRLF to XSS & Open Redirection to TikTok - 91 upvotes, $0
  31. Reflected XSS on TikTok Website to TikTok - 86 upvotes, $3000
  32. CSRF Account Takeover to TikTok - 85 upvotes, $0
  33. Multiple vulnerability leading to account takeover in TikTok SMB subdomain. to TikTok - 81 upvotes, $0
  34. Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known to TikTok - 80 upvotes, $0
  35. XSS Payload on TikTok Seller Center endpoint to TikTok - 77 upvotes, $1000
  36. TikTok's pixel/sdk.js leaks current URL from websites using postMessage to TikTok - 76 upvotes, $0
  37. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 74 upvotes, $0
  38. Cross-site Scripting (XSS) - Stored on ads.tiktok.com in Text field to TikTok - 74 upvotes, $0
  39. Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd] to TikTok - 73 upvotes, $0
  40. CSRF protection bypass on TikTok Webcast Endpoints to TikTok - 72 upvotes, $2500
  41. XSS on tiktok.com to TikTok - 72 upvotes, $0
  42. 1 Click to 'Close Account and Refund' via POSTMESSAGE to TikTok - 69 upvotes, $4500
  43. Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification to TikTok - 69 upvotes, $0
  44. CORS misconfiguration in TikTok ads portal to TikTok - 67 upvotes, $0
  45. BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS to TikTok - 66 upvotes, $500
  46. IDOR the ability to view support tickets of any user on seller platform to TikTok - 65 upvotes, $2500
  47. Cross Site Scripting using Email parameter in Ads endpoint 1 to TikTok - 64 upvotes, $0
  48. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 63 upvotes, $500
  49. Bypass SMS verification to delete TikTok account to TikTok - 61 upvotes, $0
  50. Blocked user can send notification by liking the message due to Logical Bug to TikTok - 59 upvotes, $0
  51. One Click Account Hijacking via Unvalidated Deeplink to TikTok - 58 upvotes, $0
  52. XSS at TikTok Ads Endpoint to TikTok - 58 upvotes, $0
  53. RXSS on TikTok endpoints to TikTok - 57 upvotes, $0
  54. IDOR on Tagged People to TikTok - 56 upvotes, $0
  55. Broken Link on TikTokUS.Info to TikTok - 54 upvotes, $0
  56. Privilege Escalation on TikTok for Business to TikTok - 51 upvotes, $0
  57. HTML Injection via Email Share to TikTok - 51 upvotes, $0
  58. Multiple Open Redirect on TikTok domains to TikTok - 50 upvotes, $0
  59. Stored XSS in the ticketing system to TikTok - 46 upvotes, $1000
  60. Business Suite "Get Leads" Resulting in Revealing User Email & Phone to TikTok - 45 upvotes, $0
  61. Bypass "Industry Documents" Validation to TikTok - 43 upvotes, $50
  62. Stored XSS Payload when sending videos to TikTok - 42 upvotes, $500
  63. bypass two-factor authentication in Android apps and web to TikTok - 42 upvotes, $0
  64. RXSS via region parameter to TikTok - 42 upvotes, $0
  65. XSS and iframe injection on tiktok ads portal using redirect params to TikTok - 41 upvotes, $0
  66. Ability to change permissions across seller platform to TikTok - 41 upvotes, $0
  67. View thumbnail of any private video (friends or followers only) of Private/Public account to TikTok - 40 upvotes, $0
  68. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 37 upvotes, $200
  69. HTML Injection on Company Name on Email to TikTok - 37 upvotes, $79
  70. Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 36 upvotes, $0
  71. HTML Injection through Account Name field on TikTok ads portal being rendered on emails to TikTok - 36 upvotes, $0
  72. CSRF in ticket function to TikTok - 36 upvotes, $0
  73. Lack of session expiration after password reset on TikTok Careers Portal to TikTok - 34 upvotes, $50
  74. IDOR in family pairing API to TikTok - 34 upvotes, $0
  75. Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com to TikTok - 33 upvotes, $250
  76. Open Redirect TO Stealing aadvid to TikTok - 31 upvotes, $0
  77. Add products to any livestream. to TikTok - 31 upvotes, $0
  78. CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login to TikTok - 30 upvotes, $0
  79. CSRF in Changing User Verification Email to TikTok - 29 upvotes, $500
  80. IDOR on TikTok Seller to TikTok - 28 upvotes, $500
  81. Bypassing authorization of linked Instagram account to TikTok - 28 upvotes, $170
  82. HTML Injection via TikTok Ads Email Share to TikTok - 27 upvotes, $0
  83. Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly) to TikTok - 26 upvotes, $200
  84. TikTok Account Creation Date Information Disclosure to TikTok - 26 upvotes, $100
  85. TikTok Session Donation CSRF via QR code login to TikTok - 26 upvotes, $0
  86. Cross Site Scripting using Email parameter in Ads endpoint 2 to TikTok - 25 upvotes, $0
  87. Any user can vote on Friend Only video pull to TikTok - 25 upvotes, $0
  88. Internal Employee informations Disclosure via TikTok Athena api to TikTok - 24 upvotes, $1000
  89. Clickjacking Vulnerability Can Leads To Delete Developer APP to TikTok - 24 upvotes, $500
  90. Remotely Accessible Container Advisor exposed performance metrics and resource usage to TikTok - 22 upvotes, $100
  91. Rate limiting on report video to TikTok - 22 upvotes, $0
  92. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  93. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 21 upvotes, $147
  94. Blind SSRF in ads.tiktok.com to TikTok - 20 upvotes, $0
  95. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
  96. IDOR in report download functionality on ads.tiktok.com to TikTok - 17 upvotes, $500
  97. CORS bypass on TikTok Ads Endpoint to TikTok - 17 upvotes, $257
  98. Information Disclosure of Advertiser Account on TikTok Ads Portal to TikTok - 17 upvotes, $0
  99. Create product discounts of any shop to TikTok - 17 upvotes, $0
  100. Multiple Cross-Site Scripting vulnerability via the language parameter to TikTok - 16 upvotes, $0
  101. User Able to Reopen a Ticket by Modify the Request to TikTok - 15 upvotes, $169
  102. disclosure the live_analytics information of any livestream. to TikTok - 15 upvotes, $0
  103. URL Scheme misconfiguration on TikTok for IOS to TikTok - 14 upvotes, $500
  104. CSRF for deleting videos to TikTok - 14 upvotes, $0
  105. Improper user validation on mentions and hashtags to TikTok - 11 upvotes, $150
  106. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 11 upvotes, $0
  107. Email address disclosure via invite token validatiion to TikTok - 10 upvotes, $250
  108. Information Disclosure on TikTok Unplugged Site to TikTok - 10 upvotes, $0
  109. Impersonation of tiktok account via Broken Link in TikTok Newsroom to TikTok - 9 upvotes, $0
  110. Clickjacking Vulnerability In Whole Page Ads Tiktok to TikTok - 6 upvotes, $500
  111. Instance Page DOS within Organization on TikTok Ads to TikTok - 3 upvotes, $0