How would you react if you see a video on your TikTok feed that does not feel like your own and all of a sudden you think someone has intruded into my account?
Well, this wild supposition can turn out to be true because a team of security engineers has just discovered a vulnerability that can give attackers the opportunity to swap any video that they want within the TikTok accounts.
Elaborating what they found, developers Tommy Mysk and Talal Haj Bakry stated that the world’s most popular social video platform, TikTok takes help from Content Delivery Networks (CDNs) to keep transferring data around the world more effectively. However, the problem arises when these CDNs remain in contact with unencrypted HTTP for the transfer, which later also puts the privacy of users at great risk.
So, with any router working in between the TikTok app and TikTok’s CDNs, public Wifi operators, Internet Service Providers, and intelligence agencies can extract all information regarding what kind of videos a user is watching or downloading.
As a solution to this, Apple and Google had already set their default requirements for apps to use encrypted HTTPS but there are still exceptions for developers who tend to rely on the insecure HTTP more.
The developers found that with TikTok sending data via HTTP, the man-in-the-middle can take advantage of the chance to change the content during transmission and therefore you might see a real video from an account being swapped to a fake one. The developers also showed the importance of this issue by inflicting a DNS attack on a local network.
As a demo, Mysk and Bakry injected a coronavirus video based on misinformation into the official World Health Organisation’s account and a final look of the feed then showed that the video was actually being uploaded by the one managing WHO’s TikTok handle. The duo also got successful in their trick by uploading fake videos to other verified accounts as well including Red Cross and even TikTok’s own official account on the platform.
Hence, in order to see the changes made by Mysk and Bakry in the TikTok app with this trick, a user would only need to connect to a home router. This also clarifies one more point that the swapping of videos doesn’t take place on TikTok’s server.
By this way, hacking a popular DNS server to replace it with a corrupt one for the sake of leaking misleading information, fake news, or abusive videos on a big scale won’t also be impossible.
Tommy also confirmed that TikTok is the only one in the social media world especially when it stands in comparison to its high profile competitors like Facebook and Instagram that transfer data via HTTP (a non-secure protocol). Others had traces of HTTPS only when inspected.
The year 2020 has definitely started on a negative note for TikTok as the company first brought in the spotlight by Check Point, a cybersecurity firm that pointed out numerous security flaws in the platform including how hackers can take control of the user’s account as well.
Just when they fixed the issue above, the team of Mysk and Bakry before as well uncovered another security flaw based on how the app was able to spy on the iPhone’s clipboard data.
TikTok will need to adopt a proactive approach in order to eliminate the increasing security flaws as the company already struggles in maintaining its repute because of its past.
Read next: TikTok Hits 1 Billion Installs on Google Play Store
Well, this wild supposition can turn out to be true because a team of security engineers has just discovered a vulnerability that can give attackers the opportunity to swap any video that they want within the TikTok accounts.
Elaborating what they found, developers Tommy Mysk and Talal Haj Bakry stated that the world’s most popular social video platform, TikTok takes help from Content Delivery Networks (CDNs) to keep transferring data around the world more effectively. However, the problem arises when these CDNs remain in contact with unencrypted HTTP for the transfer, which later also puts the privacy of users at great risk.
So, with any router working in between the TikTok app and TikTok’s CDNs, public Wifi operators, Internet Service Providers, and intelligence agencies can extract all information regarding what kind of videos a user is watching or downloading.
As a solution to this, Apple and Google had already set their default requirements for apps to use encrypted HTTPS but there are still exceptions for developers who tend to rely on the insecure HTTP more.
The developers found that with TikTok sending data via HTTP, the man-in-the-middle can take advantage of the chance to change the content during transmission and therefore you might see a real video from an account being swapped to a fake one. The developers also showed the importance of this issue by inflicting a DNS attack on a local network.
As a demo, Mysk and Bakry injected a coronavirus video based on misinformation into the official World Health Organisation’s account and a final look of the feed then showed that the video was actually being uploaded by the one managing WHO’s TikTok handle. The duo also got successful in their trick by uploading fake videos to other verified accounts as well including Red Cross and even TikTok’s own official account on the platform.
How Did They Do That?
They first fooled the TikTok app by directing it to a fake server that was mimicked as one of TikTok’s CDN servers. Furthermore, the developers also told that this tricked can be achieved by anyone who has easy easy access to the routers.Hence, in order to see the changes made by Mysk and Bakry in the TikTok app with this trick, a user would only need to connect to a home router. This also clarifies one more point that the swapping of videos doesn’t take place on TikTok’s server.
By this way, hacking a popular DNS server to replace it with a corrupt one for the sake of leaking misleading information, fake news, or abusive videos on a big scale won’t also be impossible.
Tommy also confirmed that TikTok is the only one in the social media world especially when it stands in comparison to its high profile competitors like Facebook and Instagram that transfer data via HTTP (a non-secure protocol). Others had traces of HTTPS only when inspected.
The year 2020 has definitely started on a negative note for TikTok as the company first brought in the spotlight by Check Point, a cybersecurity firm that pointed out numerous security flaws in the platform including how hackers can take control of the user’s account as well.
Just when they fixed the issue above, the team of Mysk and Bakry before as well uncovered another security flaw based on how the app was able to spy on the iPhone’s clipboard data.
TikTok will need to adopt a proactive approach in order to eliminate the increasing security flaws as the company already struggles in maintaining its repute because of its past.
Read next: TikTok Hits 1 Billion Installs on Google Play Store
