Think a scenario where you find a video that you did not upload, posted to your TikTok account. The viral social video platform TikTok is found to be having a vulnerability that allows an attacker to swap videos on any TikTok user account.
This vulnerability was discovered by software developers, Tommy Mysk and Talal Haj Bakry. According to them, TikTok uses Content Delivery Networks, or CDNs, to transfer their data around the world in an efficient way. To improve performance, these CDNs transfer the data over HTTP. When unencrypted HTTP is used instead of more secure HTTPS, the users’ privacy is put at risk.
It is possible for any router between the TikTok app and TikTok’s CDNs to list all the videos that a user has downloaded and watched, exposing their watch history. Then public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort.
Even though Apple and Google have moved to require apps to use encrypted HTTPS, there are some exceptions for developers who choose to use HTTP.
As TikTok transfers videos and profile photos via HTTP, it is likely to encounter man-in-the-middle attacks. So, it is possible to alter the content in transmission and swap out a real video on an account with a fake one of their choice.
The developers demonstrated this vulnerability by uploading a video sharing coronavirus misinformation and injected it into the World Health Organization’s TikTok account so it appeared like one of the organization’s own videos.
They also managed to use the same technique to show fraudulent uploads on other TikTok verified accounts, like the Red Cross and TikTok’s own official profile.
They did this by tricking the TikTok app to direct to a fake server they had set up that mimicked TikTok’s CDN servers.
This can be done by an attacker who has direct access to the routers which the user is connected to. This shows that the video swapping does not occur on TikTok’s servers. But a malicious actor can also cause real harm.
If a hacker compromises a popular DNS server to include a corrupt DNS record…misleading information, fake news, or abusive videos, then it would be viewed on a large scale.
The developers claim that these types of apps must use HTTPS for everything, mainly because of two reasons, privacy and authenticity.
If the TikTok app were using HTTPS, these kinds of fraud would be more difficult because their router would not have the right HTTPS certificate to verify their swapped-out content, so the app would reject it.
TikTok’s regular website is using HTTPS for serving up videos, but their app does not. This indicates that TikTok’s CDN is already well-equipped to handle HTTPS requests, and so the company has to just update its app to bring it into it as well.
TikTok users must be careful about the videos that you find in the platform. Don’t rely only on TikTok videos until this issue is fixed. It is advised to stop using the TikTok app and stick to the website instead.