A recent discovery by developers Tommy Mysk and Talal Haj Bakry, reveals that a vulnerability in the popular social media platform TikTok could let hackers replace users’ videos with fake ones.
The developer duo has published their findings in a blog post where they explain that some insecure practices followed by TikTok have opened a loophole for attackers.
Just like other social media apps, TikTok also uses a CDN (Content Delivery Network) to transfer gigantic amounts of videos and other data over the internet quickly. However, in TikTok’s case, its CDN uses less secure HTTP connection to improve performance.
It’s a known fact that a middle man, be it some attacker, government, or an ISP, can easily decipher HTTP traffic. As a result, an evil-minded person could access a TikTok user’s entire video collection, their watch history, and what videos they download.
The attacker can even replace videos with fake ones, or from other verified TikTok accounts, the developers warn.
Inserting fake video in WHO’s TikTok account
To support their claims, Mysk and Bakry created a proof-of-concept where they inserted a coronavirus misinformation video into the official TikTok account of the World Health Organization (WHO).
However, before you get worried, the trickery didn’t spread any fake news on the internet because no change was made to TokTok’s official servers.
What the developers did here is they fooled the TikTok app (installed on a device connected to their home WiFi network) into sending requests to their custom server designed to mimic TikTok’s CDNs.
So, by taking control of the router present between the TikTok app and TikTok’s CDNs, the developers can view and insert whatever they want. All they need to do is change the DNS record information on the router, making the app redirect itself to the fake server every time.
TikTok’s competitors use HTTPS
Mysk also analyzed the traffic of other high-profile TikTok competitors, including YouTube, Instagram, Facebook, and discovered that almost all of their traffic was passing through HTTPS connections.
“They have ZERO HTTP traces. They transfer all of their data using HTTPS,” he told Mashable.
Both Apple and Google have mandated the use of HTTPS connections for Android and iOS apps. However, they allow some exceptions due to compatibility reasons. It seems TikTok made good use of it.
All in all, not using industry-standard security protocols is more of a dumb move from an app that has spread like wildfire. To put things in context, TikTok has over 800 million monthly active users.
The popular social media platform already raises too many eyebrows due to its roots coming out of China. Still, it manages to pose itself as a threat to biggies like YouTube which is known to be working on a TikTok alternative.
Earlier this year, TikTok came under fire for allegedly suppressing videos of disabled users and for a vulnerability that could expose private videos. Furthermore, the app was also labeled spyware by Reddit CEO Jack Steve Huffman.