Tuesday, 8 July 2025
31.3 C
Singapore
37.5 C
Thailand
25.6 C
Indonesia
29.3 C
Philippines

TikTok faces a challenge as hackers inject coronavirus videos in people’s accounts

Imagine this: you are scrolling your TikTok feed, and you all over sudden notice a video that you did not upload in your account. It turns out that this is possible after a team of software developers discovered a vulnerability on TikTok that allows hackers to swap videos. Talal Haj Bakry and Tommy Mysk shared their […]

Imagine this: you are scrolling your TikTok feed, and you all over sudden notice a video that you did not upload in your account. It turns out that this is possible after a team of software developers discovered a vulnerability on TikTok that allows hackers to swap videos.

Talal Haj Bakry and Tommy Mysk shared their findings in a post, which explained that the platform uses CDNs (Content Delivery Networks) to transfer their data across the world effectively. So as to improve their performance, these CDNs transfer the data over HTTP, which is unencrypted instead of choosing HTTPS, which is more secure and doesn’t put user’s data at risk.

“Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that user has downloaded and watched, exposing their watch history,” Mysk wrote. “Public Wi-Fi operators, internet service providers, and intelligence agencies can collect this data without much effort,” he further added.

Since TikTok transfers data such as profile pictures and videos via HTTP, these developers found it susceptible to attacks. Basically, attackers could alter the content in transmission, then swap the real video on an account with a fake of their choosing.

They demonstrated how problematic this issue could be by inflicting a DNS attack on a local network. Using the discovered vulnerability, the developers uploaded a video that shared coronavirus misinformation and injected it into WHO’s (World Health Organization) TikTok account. They were also able to use the same process and upload fake videos on TikTok verified accounts such as the Red Cross.

To do it, the developers tricked the TikTok app into directing to a fake server that they had set up and mimicked the CDN servers of TikTok. “This can be achieved by actors who have direct access to the routers that users are connected to,” the duo explained in their post.

However, a malicious actor can use their method and cause some real damage. “If a popular DNS server was hacked to include a corrupt DNS record…misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers explained.

Tommy Mysk confirmed that the decision to choose HTTP over HTTPS sets TikTok apart from high-profile platforms such as YouTube, Instagram, Facebook, Twitter, and Snapchat, which all transfer their data using HTTPS.

TikTok has always claimed that it is a secure platform, but several security flaws that have been discovered recently have led to some government workers in the US being banned from using the platform, and this latest security issue is definitely not good news for the company.

Hot this week

Singapore ramps up AI investments but faces hurdles in scaling enterprise adoption

A new IBM study finds that while AI investment is growing in Singapore, few businesses have succeeded in scaling it across the organisation.

Apple hits key milestone in foldable iPhone development

Apple’s foldable iPhone has reached a key milestone with a working prototype, and the company is eyeing a potential launch in the second half of 2026.

AI will make cyber defence harder unless you think like a hacker

Cyber experts warn that AI is making cyber attacks smarter, urging firms to adopt a hacker mindset and prepare through simulations.

Google to roll out update for Pixel 6A battery overheating next week

Google’s July 8 Pixel 6A update limits battery overheating by reducing capacity after 400 cycles, with free replacements for affected users.

China to invest in Brazil-led global forest fund, signalling shift in climate finance

China may invest in Brazil's global forest fund, signalling a shift in climate finance and broader support from emerging economies.

Xiaomi Sound Pocket review: Small in size, big on sound

The Xiaomi Sound Pocket is a sleek, compact speaker with IP67 rating, smart tuning, and strong battery life for all-day listening.

Huawei defends AI model amid claims of using third-party code

Huawei denies using third-party models to train its latest AI, despite claims from a whistleblower and rising competition in China's tech sector.

AI will make cyber defence harder unless you think like a hacker

Cyber experts warn that AI is making cyber attacks smarter, urging firms to adopt a hacker mindset and prepare through simulations.

Persona 5: The Phantom X finally arrives in Southeast Asia

Persona 5: The Phantom X launches in Southeast Asia with a fresh story, fan-favourite characters, and a special event running until July 31.

Related Articles

Popular Categories