Our AI Hacked TikTok in One Day

In a single day of authorized testing under TikTok’s public bug bounty program, IQ AI’s autonomous agents identified and validated five separate high-impact vulnerabilities. The last one ended somewhere we did not expect: an internal TikTok account holding over $1,000,000 in balance. Every issue was reported through coordinated disclosure — every one submitted to TikTok’s bug bounty program on HackerOne.

We are publishing this not to celebrate a number, but because how these findings surfaced says something precise about where AI-accelerated research earns its place. Four of the five were access-control failures — the class of bug scanners are structurally bad at, because there is nothing malformed to flag. The request was well-formed. The session was authenticated. The only thing wrong was that the object being read or written belonged to someone else. The specifics below — endpoints, parameters, identifiers, and the data observed during validation — are deliberately withheld.

Why “one day” is the point, not the risk

The day was not a sprint of blind fuzzing. A recon agent mapped the in-scope surface and built a security-focused model of each asset — its identifiers, its trust boundaries, the shape of its authorization checks. A reasoning agent then walked that model the way a careful human would, but across far more endpoints in parallel, asking one disciplined question at every object reference: whose data is this, and does the server actually verify that the caller owns it? A validation agent turned each promising answer into reproducible proof before a human reviewer spent a minute on it.

That pipeline is why a single authorized day produced five validated issues instead of fifty unverified ones. The leverage is in reasoning about logic, not in the volume of requests — and a platform the size of TikTok exposes exactly the surface where that leverage compounds: creator tooling, payouts, support systems, tax and billing flows, and multiple domains, each with access-control rules that shift on every deploy.

Reading approximately 300,000 creators’ earnings

The first finding hit the money. A creator-earnings and payout feature was missing object-level authorization — a broken access control flaw on a financial endpoint. The check that should have confirmed you may only see your own numbers was never enforced server-side, so an authenticated attacker could read any TikTok user’s earnings and payout totals — exactly how much money a given creator had made.

The blast radius was approximately 300,000 users’ financial figures. For a creator economy, earnings data is among the most sensitive information a platform holds: it exposes income, reveals commercial relationships, and invites harassment and extortion. This was mass financial-privacy exposure with no anomaly for a signature-based tool to catch — just a boundary that was never checked.

Private support chats — and the AI agent’s own internals

The second finding lived in a support-chat feature, and it was an IDOR (read) with a twist. Reading other users’ private support conversations was serious on its own — people tell support channels things they tell no one else. But the same weakness also exposed the internal configuration of the AI support agent behind the chat: its system instructions and internal secrets, which should never cross the trust boundary to a client.

That second layer is its own category of risk. An assistant’s own instructions describe how it reasons, what it trusts, and where its guardrails sit; exposed, they hand an attacker a blueprint for manipulating it. One flaw, two disclosures of things that should have stayed on the server. This was reported on its own.

Read and write across approximately 50,000 support conversations

The third finding was a separate report on a different TikTok domain, and it raised the stakes from look to touch. A structurally similar object reference was not only readable but writable — an IDOR with read and write access across a support system at scale, covering more than approximately 50,000 conversations.

Write access changes everything. Reading private tickets is a confidentiality breach; altering them means an attacker could tamper with or inject content into conversations users already trusted — a foothold for fraud and social engineering that turns a help desk into an attack channel. AI reasoning across assets is what recognized the same flawed authorization shape on a second domain that shared no obvious surface with the first.

Rewriting any user’s tax and billing data

The fourth finding returned to sensitive financial data, this time on the write side. An IDOR (write) allowed modification of any user’s tax and billing information — details that sit at the intersection of money and identity. Read access to that data is serious; write access is a different category of harm. An attacker able to alter another person’s tax and billing record could disrupt payouts and corrupt records in ways that surface weeks later in the worst possible place. We validated the impact and stopped there; the underlying data was never ours to keep.

One leaked token, one internal account, over $1,000,000

The day ended on its most dramatic note. IQ AI identified a leaked access token for an internal TikTok account. Using it, our agents obtained low-privilege access to that account — low privilege, but far from low value. The account held a balance of over $1,000,000, and the access exposed its email, phone number, and full profile information.

This is the textbook shape of a secret-exposure chain: a credential where it should not be, leading to unauthorized internal access and sensitive-data exposure. We did not escalate or move laterally. We are not naming or identifying the account holder, and the personal data encountered during validation is not disclosed here. The point was the proof, and the proof was conclusive — leaked credentials are never “informational” once you demonstrate, in scope, exactly what they unlock.

Responsible disclosure

Every one of these findings was produced under TikTok’s authorized bug bounty program, validated against our own proof not noise bar, and submitted through coordinated disclosure. We accessed only what was necessary to prove impact, withheld every reproducible detail — no endpoints, parameters, or steps — and disclosed no personal data. Each finding was submitted to TikTok’s bug bounty program on HackerOne for coordinated triage and remediation.

All testing was authorized. Every finding was reproduced before reporting and disclosed responsibly through TikTok’s program on HackerOne. That is the only way IQ AI operates.

Credit belongs to TikTok as much as to our agents — a bug bounty program that invites this kind of scrutiny is doing security right, and every finding here went through it on HackerOne. The vulnerabilities were real, the disclosure was responsible, and the specifics stay withheld.

What the day proves

Five distinct, high-impact issues — mass financial-privacy exposure, support-system IDORs at scale, financial-PII tampering, and a credential chain into a million-dollar internal account — surfaced, validated, and reported inside a single authorized day. That is not a story about speed for its own sake. It is what happens when frontier reasoning is pointed at the one bug class automated tooling keeps missing — broken object-level authorization — and held to reproducible proof before anything is reported. The reasoning found the flaws; the discipline made them count.

IQ AI is only getting started.