CVE: N/A (Duplicate — independently discovered)
Platform: TikTok Android (com.zhiliaoapp.musically)
Severity: High (CVSS 7.7)
Status: Reported to TikTok via HackerOne — Confirmed Valid
Summary
The aweme/v1/comment/publish endpoint accepts a client-supplied user_vote_info parameter containing a free-form vote_text field with no server-side validation. An attacker can inject arbitrary text which TikTok renders verbatim as an official "Voted [text]" badge underneath their comment on any video, regardless of whether that video has a poll.
This allows any authenticated user to display fake official-looking poll vote badges on any video at scale.
Demo

Vulnerability Details
Endpoint
POST https://api16-normal-no1a.tiktokv.eu/aweme/v1/comment/publish/
Vulnerable Parameter
When posting a comment, TikTok includes a user_vote_info field in the request body:
{
"poll_id": 1337,
"vote_option": 1,
"vote_text": "check story in bio"
}
The vote_text field is entirely client-controlled. TikTok's server:
- Does not validate that the
poll_idbelongs to the target video - Does not validate that
vote_textmatches any real poll option - Does not check whether the video has a poll at all
- Simply stores and renders whatever string the client sends
Impact
- UI Spoofing — Fake official-looking badges on any video
- Social Engineering at Scale — Direct millions of viewers to external links/accounts using trusted UI elements
- Fake Engagement Metrics — Misleading poll interaction data
- Scam Vector — "Voted check my DMs", "Voted follow me", etc. on viral videos
Proof of Concept
Prerequisites
- Rooted Android device OR Android emulator with root
- Frida installed on your PC
- Charles Proxy (or any HTTPS proxy)
- TikTok account
Method
The user_vote_info parameter is passed to TikTok's CommentApiV2.LJIILL() method (method name may vary by app version — rescan if needed) before request signing. We hook this method with Frida to inject custom vote_text before TikTok signs the request natively.
bypass.js (included in this repo) does two things:
- Bypasses TikTok's SSL pinning so Charles can read decrypted traffic
- Hooks the comment publish method and injects custom
vote_text
Steps to Reproduce
- Root your Android device and install Frida server
- Push
frida-serverto/data/local/tmp/and start it:
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell su -c "/data/local/tmp/frida-server &"
- Set Charles as your Android proxy:
adb shell settings put global http_proxy YOUR_PC_IP:8888
- Edit
bypass.js— set your desiredvote_text:
var customVoteInfo = JSON.stringify({
"poll_id": 1337,
"vote_option": 1,
"vote_text": "your text here"
});
- Open TikTok on your device, then attach Frida:
frida -U -n "TikTok" -l bypass.js
- Post any comment on any video
- The badge "Voted [your text]" will appear under your comment — visible to all viewers
Expected Result
[+] SSL bypass active
[+] Comment publish hooked — vote_text will be injected on every comment
[*] Intercepted comment publish
[*] Original vote_info: null
[*] Injected vote_info: {"poll_id":1337,"vote_option":1,"vote_text":"your text here"}
Technical Details
How the Hook Works
TikTok's comment publish logic lives in:
com.ss.android.ugc.aweme.commentv2.commentlist.CommentApiV2
The method responsible for building and sending the comment request (obfuscated, may vary by version) accepts user_vote_info as a plain string parameter at argument index 25. We intercept it before TikTok's signing process runs, so the signed request contains our injected text — making it indistinguishable from a legitimate request.
Why Changing Parameters in a Proxy Doesn't Work
TikTok signs every request with x-argus and x-gorgon headers computed over the request body. Modifying the body in Charles after signing (via Compose/Rewrite) breaks these signatures and returns status_code: 4. The Frida hook approach works because we modify the data before signing occurs — TikTok signs our injected payload natively.
Files
| File | Description |
|---|---|
bypass.js |
Frida script — SSL bypass + vote_text injection |
README.md |
This file |
assets/ |
Screenshots and demo footage |
Timeline
| Date | Event |
|---|---|
| June 26, 2026 | Vulnerability discovered |
| June 26, 2026 | Reported to TikTok via HackerOne (#3830918) |
| June 27, 2026 | Marked as duplicate — confirmed valid |
| June 29, 2026 | Youtube video posted |
Disclosure
This vulnerability was discovered independently and reported responsibly through TikTok's official HackerOne bug bounty program.
Do not use this for malicious purposes. This is published for security researchers and developers to understand this class of vulnerability.
Author
fstr — Independent security researcher YouTube: [https://www.youtube.com/@heisfstr] Website: [https://fstr.one/]
Comments