hackerone: lrd0036. If you can read this inside the TikTok app, an attacker-controlled origin loaded in an in-app WebView (arbitrary-URL-load).