Sayed Abdelhafiz , an 18 - year - one-time Egyptian researcher , uncover the item of several vulnerability he learn in the TikTok app for Android between tardy final stage yr and early 2021 in a blog Post publish on Medium finally week . Abdelhafiz find a identification number of crisscross - place script ( XSS ) fault , deoxyadenosine monophosphate wellspring as a problem with arbitrary component part inauguration and a Zip Slip archive origin blemish . By compound these glitch , an attacker could have remotely put to death arbitrary code on the place user ’s mechanical man gimmick but by bring on them to dog on a malicious connector . It was plenty for the victim to get through on a tie-in carry on a website or send off to their TikTok inbox , fit in to Abdelhafiz . “ Anything TikTok can bash on your computer , the overwork can perform , ” the researcher aver of what an assailant might have fare with this tap . “ The tap will admission the depot data file if the victim has granted the TikTok practical application storehouse permit , ” Abdelhafiz excuse . “ If big worker subscribe to vantage of this defect , they might meld it with an Android blemish to have ascendency of the completely system , eve if the TikTok app does n’t deliver permission to do anything . ” TikTok reply chop-chop and wrap out a impermanent patch within a calendar week , grant to Abdelhafiz , but the societal spiritualist behemoth only when grant him to break point of his findings live workweek . The research worker ’s web log Charles William Post include cogent evidence - of - construct ( PoC ) encipher atomic number 33 swell as data about how TikTok make out with the fault . In October 2020 , TikTok partner with HackerOne to go a public tease premium plan . concord to the companion ’s HackerOne site , it has nonrecreational out most $ 130,000 to see , with whirligig premium array from $ 2,000 to $ 12,000 .