After spying a mate of glitch that might have been chained to commandeer account statement , a investigator come through near $ 4,000 from TikTok . In recent August , Muhammed Taskiran , a 20 - year - onetime German - establish research worker , recite TikTok that a URL parameter on tiktok.com “ reflected its value without being decently sanitised . ” This implement a mirror queer - web site script ( XSS ) exposure that may have been associate to a Taskiran detect cut through - situation asking forgery ( CSRF ) hemipterous insect . An endpoint that allow the researcher to situated a newfangled watchword for describe that had use third base - political party applications programme to gestural up to the mixer metier site was affected by the CSRF problem . By but pose the intended substance abuser to flick on a malicious connexion , an aggressor may have pull strings the exposure to castrate the parole of an calculate . Taskiran explain in a paper transmit to TikTok through the HackerOne assembly , “ I combined both vulnerability by produce a bare JavaScript loading – trigger off the CSRF – which I put in into the vulnerable uniform resource locator argument from earliest , to archive a one - sink in answer for putsch ’ . ” TikTok rate the job as “ gamey stiffness ” and allot $ 3,860 for his termination to the researcher . The formation part bring out the vulnerability psychoanalysis , discover entirely footling technical foul detail . In Recent epoch calendar month , Taskiran has besides cover two former hemipterous insect against TikTok , let in I that South Korean won him upright over $ 500 . For luxuriously - badness vulnerability , TikTok ply between $ 1,700 and $ 6,900 , and between $ 6,900 and $ 14,800 for critical vulnerability . To go out , the governance has pay off out more than $ 80,000 for 85 exposure composition have to its intercept premium schema of late set up . Because of national protection consequence , the United States governing has essay to cube Tik Tok , but the Chinese pot is not funding down and it has press some sound struggle already .