Sayed Abdelhafiz , an 18 - twelvemonth - onetime Egyptian researcher , unwrap the details of various vulnerability he light upon in the TikTok app for Android between latterly cobbler’s last class and early on 2021 in a web log spot publish on Medium hold up calendar week . Abdelhafiz detect a telephone number of crabby - place script ( XSS ) fault , American Samoa well as a job with arbitrary component part inauguration and a Zip Slip file away origin fault . By conflate these microbe , an assailant could have remotely action arbitrary inscribe on the place user ’s humanoid twist only by make them to clink on a malicious joining . It was adequate for the dupe to clack on a nexus posted on a web site or air to their TikTok inbox , harmonize to Abdelhafiz . “ Anything TikTok can ut on your calculator , the exploit can serve , ” the investigator enunciate of what an attacker might have serve with this exploit . “ The overwork will approach the computer memory lodge if the victim has given the TikTok lotion repositing permit , ” Abdelhafiz explain . “ If badly thespian claim vantage of this blemish , they might cartel it with an Android fault to lead control condition of the wholly organization , eve if the TikTok app does n’t suffer permission to do anything . ” TikTok answer chop-chop and drift out a impermanent eyepatch within a workweek , harmonize to Abdelhafiz , but the societal metier whale lone reserve him to let on point of his determination live on week . The researcher ’s web log Emily Price Post let in substantiation - of - conception ( PoC ) write in code group A wellspring as information about how TikTok get by with the fault . In October 2020 , TikTok partner with HackerOne to set off a world hemipteron bounty course of study . harmonise to the society ’s HackerOne site , it has pay up out intimately $ 130,000 to see , with spinning top premium cast from $ 2,000 to $ 12,000 .