| IDOR the ability to view support tickets of any user on seller platform |
Insecure Direct Object Reference (IDOR) |
lewaperbb |
Medium |
2021-12-03 |
| reflected xss on the path m.tiktok.com |
Cross-site Scripting (XSS) - Reflected |
semsem123 |
Medium |
2021-12-03 |
| BYPASSING COMMENTING ON RESTRICTED AUDIENCE VIDEOS |
Improper Access Control - Generic |
boynamedboy |
Medium |
2021-11-18 |
| HTML Injection on tiktoktutorials via firstName parameter |
Improper Input Validation |
sirat_ |
Low |
2021-10-30 |
| XSS on tiktok.com |
Cross-site Scripting (XSS) - Reflected |
arifmkhls |
Medium |
2021-10-23 |
| Reflected XSS in TikTok endpoints |
Cross-site Scripting (XSS) - Reflected |
sh1yo |
Medium |
2021-10-22 |
| Broken Link on TikTokUS.Info |
Violation of Secure Design Principles |
sirat_ |
Low |
2021-10-01 |
| Information Disclosure on TikTok Unplugged Site |
Information Disclosure |
nanwn |
Low |
2021-08-13 |
| Blocked user can send notification by liking the message due to Logical Bug |
Privacy Violation |
sandipgyawali |
Low |
2021-07-10 |
| TikTok Session Donation CSRF via QR code login |
Cross-Site Request Forgery (CSRF) |
lauritz |
Low |
2021-06-17 |
| Blocked user can see live video |
Privacy Violation |
sandipgyawali |
Medium |
2021-05-28 |
| CSRF on TikTok Ads Portal |
Cross-Site Request Forgery (CSRF) |
probatorem |
Medium |
2021-05-26 |
| RCE on TikTok Ads Portal |
Code Injection |
bubbounty |
Critical |
2021-04-15 |
| Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform |
Insecure Direct Object Reference (IDOR) |
bubbounty |
High |
2021-04-02 |
| Multiple bugs leads to RCE on TikTok for Android |
Improper Export of Android Application Components |
dphoeniixx |
Critical |
2021-03-17 |
| External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing |
Server-Side Request Forgery (SSRF) |
ach |
High |
2021-02-15 |
| Lack of rate limitation on careers site allows the attacker to brute force the verification code |
Brute Force |
iambouali |
High |
2021-02-11 |
| [CSRF] TikTok Careers Portal Account Takeover |
Cross-Site Request Forgery (CSRF) |
lauritz |
High |
2020-12-15 |
| Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration |
Cross-site Scripting (XSS) - Reflected |
milly |
High |
2020-11-19 |
| Cross-Site-Scripting on www.tiktok.com and m.tiktok.com leading to Data Exfiltration |
Cross-site Scripting (XSS) - Reflected |
milly |
High |
2020-11-19 |
| CSRF To Add New App In Developer Account And Bypassing Json Format |
Cross-Site Request Forgery (CSRF) |
sniper302 |
Medium |
2020-11-07 |
| Bypass "Industry Documents" Validation |
Improper Access Control - Generic |
gnux |
Low |
2020-10-29 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles