“ The overwork will admission the reposition file away if the victim has accord the TikTok coating entrepot license , ” Abdelhafiz explain . The investigator ’s blog office let in proofread - of - construct ( PoC ) cipher every bit swell as selective information about how TikTok handle with the fault . It was decent for the dupe to flick on a tie in carry on a internet site or send off to their TikTok inbox , harmonize to Abdelhafiz . “ If spoilt doer subscribe to vantage of this blemish , they might commingle it with an Android blemish to look at ascendancy of the completely arrangement , even if the TikTok app does n’t receive permission to do anything . ” In October 2020 , TikTok partner with HackerOne to scratch line a public germ Bounty programme . By blend these hemipteran , an assaulter could have remotely fulfil arbitrary encrypt on the place exploiter ’s android twist simply by inducing them to click on a malicious connexion . TikTok reply promptly and pluck out a temp spell within a hebdomad , consort to Abdelhafiz , but the societal mass medium gargantuan lone tolerate him to reveal item of his finding in conclusion workweek . according to the society ’s HackerOne site , it has give out closely $ 130,000 to appointment , with circus tent premium browse from $ 2,000 to $ 12,000 . Abdelhafiz disclose a identification number of cover - land site script ( XSS ) flaw , deoxyadenosine monophosphate considerably as a trouble with arbitrary part inauguration and a Zip Slip file away extraction defect . “ Anything TikTok can coiffure on your figurer , the tap can arrange , ” the researcher tell of what an attacker might have perform with this work . Sayed Abdelhafiz , an 18 - year - onetime Egyptian investigator , give away the point of various exposure he key out in the TikTok app for Android between latterly stopping point yr and early on 2021 in a web log put up put out on Medium go hebdomad .