Viewing Secret TikTok Ads

Viewing Secret TikTok Ads

Published on
# exploit# vulnerabilities# tiktok# cybersecurity

TikTok Is a HUGE Advertising Platform

TikTok is a massive way to reach a lot of people on earth due to just how many people have been trained into mindlessly scrolling over and over on every post that they see, treating brands as people due to how brands now try to relate to the people they're advertising to, but sometimes advertisers publish test or unreleased versions of ads on platforms like TikTok, and while they may not think much of it as nobody can normally see it, there used to be a very easy exploit on the app that allowed this extra information to be accessed surprisingly easily.

I had discovered the exploit I will be discussing today back in 2020, and this super simple trick would allow you to view "secret" TikTok ads by brands that aren't part of any official algorithm or campaign, causing upcoming announcements to be potentially leaked by an unexpecting brand.

How I Found This Exploit & What It Is

While casually browsing TikTok on my phone as anyone else would, I got an advertisement for a video game that I play pretty often, so naturally I went to go share the video to my friend so that he could see the ad I got, however I noticed when going to share an advertisement you could actually copy the direct link of an ad from the mobile apps share menu. Now TikTok treats ad accounts differently from normal accounts, as if you try to click the accounts profile picture or name it won't take you to an actual profile on an ad account even though it does on a normal account, and opening a link on your phone just takes you to the app as usual, so I got curious what would happen if I simply copied the link to my computer and opened it on a normal web browser, due to me almost never seeing TikTok ads on the browser version of the app.

When I did I found out that something very unexpected happens...

Opening the TikTok advertisement on a web browser would allow you to actually view the advertiser's entire TikTok profile from your desktop, this didn't just include the advertisements currently being paid for on the platform but also ANY video that the advertisement profile has uploaded including test and unreleased ads that aren't shown anywhere else.

Why This Matters

Most of these hidden advertisement videos don't show up in TikTok's algorithm or feeds, so the average user will never see them and advertisers might not think much of it because they could just believe they're uploaded stuff to be scheduled for later due to nobody being able to access these profiles. Despite these assumptions these hidden videos might contain:

  • Sneak peeks of upcoming campaigns
  • Experimental ad concepts
  • Unannounced product info/branding changes
  • Content targeted only to specific test audiences such as specific regions

By having access to these "secret" ads I was given a rare glimpse behind the curtain of advertising on platforms like TikTok, but not only that I was also presented with full video advertisements of upcoming content in games I play, despite those games not even having announced those changes/updates yet.

Why Didn't I Report This Sooner?

To make it pretty simple, when I first discovered this exploit the website you're reading this on didn't exist at all, due to that I didn't feel the need to document these vulnerabilities however TikTok was made aware of the exploit and shortly after I had discovered it the exploit was patched out. Now when you go to copy a tiktok video ad onto your desktop it will just show the ad but any attempts to go to the advertisers profile including with direct links seemingly doesn't work and just redirects you to the TikTok homepage. There still is a suspicion in my mind that you can find unreleased TikTok ads using API requests as I feel they didn't fully block off all access points but I personally haven't looked too much into this ever since the original exploit was fixed.

Final Thoughts

Discovering this was a fun little hack, it was a random idea that I didn't think would go far at all yet gave a reminder that no matter how much data and content we constantly consume on the internet daily, so much more content exists beneath the surface of everyday applications and when there is a will there is a way to uncover the hidden world beyond the surface level that the normal person browses daily, interacting with more than they may interact with close friends and family.