Stored XSS at the name of the attacker’s account carrying XSS payload will be triggered when the victim Send Video

Aidil Arief
3 min readNov 30, 2022

Hi everyone,

When I decided to do some Bug Hunting on the TikTok program, and I got some XSS Stored in a few months.

After waiting for so long to disclose these findings, and finally, this article is disclosed.

Follow Me :)

This finding is my first finding, but because there is a delay in the Disclosure and Fix process, the Disclosure of this finding is a bit late. Here are my other findings that have already been disclosed.

This finding started when I tried to rename my TikTok account to one that carries XSS payload.

I think the way I did was a stupid and time consuming way to scan for vulnerable output.

After a long time trying to find the output of the name that carries the XSS payload, and I can’t find any XSS vulnerabilities there.

I decided to pause for a moment by trying to look back at some of the existing features.

And until finally I saw a vulnerable output, where the name of the TikTok account carrying the XSS payload was treated as HTML.

See the TikTok name output carrying the XSS payload is considered HTML. However when I try to use SCRIPT TAG. And the pop up doesn’t appear. I tried using another payload and see the result :

And Pop Up appears.

I was very excited and immediately reported this to the TikTok Team.

Report :

Timeline :

Report : Apr 9th

Triaged : Apr 26th

Fix : Jul 8th

Resolved : Fixed