Monday, 8 September 2025
28 C
Singapore
27.5 C
Thailand
20.1 C
Indonesia
28.3 C
Philippines

TikTok faces a challenge as hackers inject coronavirus videos in people’s accounts

Imagine this: you are scrolling your TikTok feed, and you all over sudden notice a video that you did not upload in your account. It turns out that this is possible after a team of software developers discovered a vulnerability on TikTok that allows hackers to swap videos. Talal Haj Bakry and Tommy Mysk shared their […]

Imagine this: you are scrolling your TikTok feed, and you all over sudden notice a video that you did not upload in your account. It turns out that this is possible after a team of software developers discovered a vulnerability on TikTok that allows hackers to swap videos.

Talal Haj Bakry and Tommy Mysk shared their findings in a post, which explained that the platform uses CDNs (Content Delivery Networks) to transfer their data across the world effectively. So as to improve their performance, these CDNs transfer the data over HTTP, which is unencrypted instead of choosing HTTPS, which is more secure and doesn’t put user’s data at risk.

“Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that user has downloaded and watched, exposing their watch history,” Mysk wrote. “Public Wi-Fi operators, internet service providers, and intelligence agencies can collect this data without much effort,” he further added.

Since TikTok transfers data such as profile pictures and videos via HTTP, these developers found it susceptible to attacks. Basically, attackers could alter the content in transmission, then swap the real video on an account with a fake of their choosing.

They demonstrated how problematic this issue could be by inflicting a DNS attack on a local network. Using the discovered vulnerability, the developers uploaded a video that shared coronavirus misinformation and injected it into WHO’s (World Health Organization) TikTok account. They were also able to use the same process and upload fake videos on TikTok verified accounts such as the Red Cross.

To do it, the developers tricked the TikTok app into directing to a fake server that they had set up and mimicked the CDN servers of TikTok. “This can be achieved by actors who have direct access to the routers that users are connected to,” the duo explained in their post.

However, a malicious actor can use their method and cause some real damage. “If a popular DNS server was hacked to include a corrupt DNS record…misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers explained.

Tommy Mysk confirmed that the decision to choose HTTP over HTTPS sets TikTok apart from high-profile platforms such as YouTube, Instagram, Facebook, Twitter, and Snapchat, which all transfer their data using HTTPS.

TikTok has always claimed that it is a secure platform, but several security flaws that have been discovered recently have led to some government workers in the US being banned from using the platform, and this latest security issue is definitely not good news for the company.

Hot this week

Apple may drop physical SIM cards for iPhone 17 and introduce a redesigned case

Apple is set to launch the iPhone 17 on 9 September, with rumours of eSIM-only models and a redesigned clear case with MagSafe.

One in three Australian workers expose company data to AI platforms, Josys warns

Over a third of Australian workers upload sensitive data to AI tools, with Josys warning of rising risks from shadow AI and weak governance.

Fireblocks launches global network for stablecoin payments

Fireblocks launches its Network for Payments to streamline global stablecoin transactions across 100+ countries with compliance and scale.

Bose unveils second-generation QuietComfort Ultra headphones with lossless USB-C support

Bose launches its new QuietComfort Ultra headphones with USB-C lossless audio, longer battery life, and enhanced noise cancellation.

Global Anti-Scam Summit Asia 2025 launches major initiatives to fight online fraud

Global Anti-Scam Summit Asia 2025 in Singapore unveils new initiatives to fight scams with technology, funding, and cross-border collaboration.

OpenAI to launch job platform and AI certification scheme

OpenAI will launch an AI job platform and certification scheme to help employers find talent and upskill job seekers.

Meta improves threaded posts on Threads with clearer design

Meta is updating Threads with clearer thread labels, numbered posts, and new layout tools to improve user experience.

US court rules Google can keep Apple deal but must share search data with rivals

A US court ruled Google can keep its Apple deal but must share search data with rivals, marking a key antitrust decision.

ECOVACS unveils DEEBOT X11 with PowerBoost and expands service robot portfolio at IFA 2025

Ecovacs launches DEEBOT X11 with PowerBoost and expands its service robot lineup with ULTRAMARINE at IFA 2025.

Related Articles

Popular Categories