Privilege Escalation on TikTok for Business

An IDOR (Insecure Direct Object Reference) vulnerability was found on the "org_id" and "account_id" parameters on a Business.TikTok.com endpoint, which could have resulted in an authenticated user with "Analyst" level permissions to close another user's ads accounts. We thank @naaash for reporting this to our team.