Imagine this: you are scrolling your TikTok feed, and you all over sudden notice a video that you did not upload in your account. It turns out that this is possible after a team of software developers discovered a vulnerability on TikTok that allows hackers to swap videos.
Talal Haj Bakry and Tommy Mysk shared their findings in a post, which explained that the platform uses CDNs (Content Delivery Networks) to transfer their data across the world effectively. So as to improve their performance, these CDNs transfer the data over HTTP, which is unencrypted instead of choosing HTTPS, which is more secure and doesn’t put user’s data at risk.
“Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that user has downloaded and watched, exposing their watch history,” Mysk wrote. “Public Wi-Fi operators, internet service providers, and intelligence agencies can collect this data without much effort,” he further added.
Since TikTok transfers data such as profile pictures and videos via HTTP, these developers found it susceptible to attacks. Basically, attackers could alter the content in transmission, then swap the real video on an account with a fake of their choosing.
They demonstrated how problematic this issue could be by inflicting a DNS attack on a local network. Using the discovered vulnerability, the developers uploaded a video that shared coronavirus misinformation and injected it into WHO’s (World Health Organization) TikTok account. They were also able to use the same process and upload fake videos on TikTok verified accounts such as the Red Cross.
To do it, the developers tricked the TikTok app into directing to a fake server that they had set up and mimicked the CDN servers of TikTok. “This can be achieved by actors who have direct access to the routers that users are connected to,” the duo explained in their post.
However, a malicious actor can use their method and cause some real damage. “If a popular DNS server was hacked to include a corrupt DNS record…misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers explained.
Tommy Mysk confirmed that the decision to choose HTTP over HTTPS sets TikTok apart from high-profile platforms such as YouTube, Instagram, Facebook, Twitter, and Snapchat, which all transfer their data using HTTPS.
TikTok has always claimed that it is a secure platform, but several security flaws that have been discovered recently have led to some government workers in the US being banned from using the platform, and this latest security issue is definitely not good news for the company.