TikTok the second most popular free Android app in 2019 and emerging social media platform which has lately been giving fierce competition to all other legacy social media giants has recently come under the heat because of a serious security flaw that has been discovered.
Two developers Tommy Musk and Talal Haj Bakry have recently revealed a vulnerability in TikTok which enables hackers to replace a user’s videos with fake ones.
The developer duo has made their findings available in a blog post wherein they explained that TikTok’s current loophole for attackers is the result of their insecure practices when it comes to content delivery.
TikTok much like all other social media platforms needs to rely on a Content Delivery Network aka a CDN to quickly transfer gigantic volumes of data such as videos, images and so on over the internet.
However, in the case of TikTok, the CDN they rely on is a lesser form of a secure HTTP connection because it improves their performance. This allows an attacker to easily decipher HTTP Traffic and replace the videos of any chosen account with other fake ones.
Mysk and Bakry also created a proof-of-concept (POC) video to support their claims by inserting a COVID-19 misinformation video into the official TikTok account of the World Health Organization (WHO).
What the developers demonstrated in the above video is how they were able to trick the TikTok app (installed on a device connected to their home WiFi network) into sending requests to their own custom server which was designed to mimic the CDNs that TikTok relies on.
Therefore, this proves that by assuming control over the router present between the TikTok app and the CDNs TikTok relies on, anyone can view and insert any video or image they want.
All that is needed to be done to perform this action is the changing of the DNS record information on the router which will make the TikTok app redirect to the fake server every single time.
“If a popular DNS server was hacked to include a corrupt DNS record as we showed earlier, misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers explained in their post.
Back in 2018, Tinder made a similar mistake which TikTok seems to be making right now.
Social Media Platforms Rely On HTTPS
The two developers also dug in the traffic of TikTok’s competitors such as YouTube, Instagram and Facebook to look for similar vulnerabilities. They came to the conclusion that most of these other social media giants rely only on secure HTTPS connections to facilitate the passing of traffic.
The use of HTTPS connections has been mandated by both Apple and Google, however, they have allowed the existence of some exceptions because of compatibility reasons. Now it seems like its these same exceptions that have been made good use of by TikTok.
This vulnerability could affect people at a massive scale because TikTok has already garnered around 800 million monthly users worldwide as of right now.
There have already been raised too many questions about TikTok’s roots coming out of China and now this will surely be another addition to the same pile of doubt it has been gathering lately.
Earlier this year, the app came under a lot of heat on multiple occasions. First, they were accused of allegedly suppressing videos of disabled users and after that, a vulnerability was discovered within the TikTok app which allowed a hacker to expose private videos. Now it remains to be seen how quickly the emerging social media platform takes note of this recent security flaw and fixes it.