The annex
The problem is caused by incorrect work with the public directory /tmp. During the backup, the program creates the /tmp/timeshift directory, in which a randomly named subdirectory is created containing a shell script with commands that is run as root. The script subdirectory has an unpredictable name, but /tmp/timeshift itself is predictable and is not checked for substitution or creation of a symbolic link instead. An attacker can create the /tmp/timeshift directory on his own behalf, then track the appearance of a subdirectory and replace this subdirectory and the file in it. In the course of work, Timeshift will execute with root rights not the script generated by the program, but the file substituted by the attacker.
Source: opennet.ru