Connect with us

Hi, what are you looking for?



TikTok Pays Out $11,000 Bounty for High-Impact Exploit

TikTok vulnerabiliites

TikTok vulnerabiliites

A researcher has earned over $11,000 from TikTok after disclosing a series of vulnerabilities that could have been chained for a high-impact 1-click exploit.

In a blog post published on Medium last week, Sayed Abdelhafiz, an 18-year-old researcher from Egypt, disclosed the details of several vulnerabilities he identified late last year and in early 2021 in the TikTok app for Android.

Abdelhafiz discovered a couple of cross-site scripting (XSS) vulnerabilities, an issue related to starting arbitrary components, and a so-called Zip Slip archive extraction vulnerability. Chaining these vulnerabilities could have allowed an attacker to remotely execute arbitrary code on the targeted user’s Android device simply by convincing them to click on a malicious link.

Abdelhafiz told SecurityWeek that it was enough for the victim to click on a link posted on a website or sent to their TikTok inbox.

As for what an attacker could have done with this exploit, the researcher said “anything TikTok can do on your device, the exploit can do.”

“If the victim has given the storage permission to the TikTok application, the exploit can access the storage’s files,” Abdelhafiz explained. “If bad people exploit this vulnerability, they may chain it with an Android vulnerability to take over the whole device, even if the TikTok app doesn’t have permission to do anything.”

Abdelhafiz told SecurityWeek that TikTok acted quickly and rolled out a temporary fix within a week, but the social media giant only allowed him to disclose details of his findings last week.

Advertisement. Scroll to continue reading.

The researcher’s blog post contains proof-of-concept (PoC) code, as well as information on how TikTok addressed the vulnerabilities.

TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020. On its HackerOne page, the company says it has paid out nearly $130,000 to date, with top bounties ranging between $2,000 and $12,000.

Related: China-Made TikTok App Riddled With Security Holes: Researchers

Related: TikTok Awards Nearly $4,000 for Account Takeover Vulnerabilities

Related: Facebook Paid Out $50K for Vulnerabilities Allowing Access to Internal Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.