XSS Blind Stored at 2 Assets TikTok

Aidil Arief
3 min readJun 29, 2022

Hi everyone,

In this article, I share the findings of XSS Blind Stored at 2 TikTok Assets.

When I decided to hunt for bugs in the TikTok program, and I spent 1 month looking for this XSS.

This XSS finding started when I created a product on a TikTok seller account (https://seller-id.tiktok.com/)

I entered the XSS payload in the product name in the seller’s account.

And the result is that there is no XSS on https://seller-id.tiktok.com/ that I get. And I decided not to continue looking for XSS there.

And the next day, when I continued testing on TikTok Android Apps assets, and I discovered the features of my product.

I tried to see the Product URL Location from the **Share** feature above.

And I get a URL of the form :


And it turns out to be the same, there is no XSS here :(

I was silent for a moment and tried to see the view source of the page.

And apparently I found a vulnerable XSS snippet there in the form of:

<meta name='keywords' content='["><img src=x onerror=alert()>], TikTok, TokTok Shop' />

And that’s what made me give up, but after I know the snippet of the responses, I tried to change my product name from the TikTok seller account (https://seller-id.tiktok.com/).

Now I’m using an XSS payload with a single quote ( ‘ ) prefix :

‘><img src=x onerror=alert()>

And finally a pop up appears :)

Let’s see the responses from view source:

<meta name=’keywords’ content=’[’><img src=x onerror=alert()>], TikTok, TokTok Shop’ />

And yes, there the ‘> prefix is ​​used to close the input value in the META TAG. And I got the XSS Blind Stored here.

I was overjoyed and immediately reported it to the TikTok team.

After I finished reporting the issue, I continued my testing, and it turned out that I found URLs for other TikTok assets that were affected by XSS in my initial findings.

The affected assets are https://shop.tiktok.com/

I also reported this finding to the TikTok Team.

Report :


Affected Assets :



Timeline :

Report : Apr, 29th

Fix & Resolved : May, 13th