The CapCut engineering team rolled out a patch in version . The fix involved: [Action 1]: Improved input validation on the server side.
In mid-2023, a researcher discovered that CapCut’s “share template” feature used sequential, predictable numeric IDs. By incrementing the ID in the API call GET /api/template/12345 , any user could download another user’s private template—including unlisted video drafts. capcut bug bounty fix
A primary reason for robust bug bounty programs is to counter "unofficial" fixes and distribution. Threat actors often exploit CapCut’s popularity by creating cloned websites (e.g., capcut-freedownload[.]com ) that distribute malware disguised as official installers. TikTok | Bug Bounty Program Policy - HackerOne The CapCut engineering team rolled out a patch in version
Best for: Medium, technical blogs, or LinkedIn articles. By incrementing the ID in the API call
🛠️ Fixed it! Just closed a bug bounty ticket with @CapCut_app.