Let us imagine this, you’re scrolling through your TikTok news feed whenever you get the chance, as usual, and all of a sudden, you notice a video that you did not upload to your account.
Yeah, it’s very possible as 2 software developers Tommy Mysk and Talal Haj Bakry demonstrated how a TikTok flaw allows hackers to stream videos from the account of any user of the application.
Like all social networks and messaging applications, TikTok relies on content distribution networks (CDN) to distribute the content published on its platform geographically. Unlike most of its competitors, TikTok has chosen to broadcast videos via the unsecured HTTP protocol.
In doing so, the application, which has more than one billion users worldwide, improves data transfer performance from its servers. This is the main advantage of this protocol, but this choice was made at the expense of user safety. Indeed, HTTP traffic can be easily intercepted, or even diverted by malicious actors.
By exploiting the weaknesses of the HTTP protocol, an attacker can exchange videos published by TikTok users with different videos, including those from popular accounts. All videos posted on TikTok are distributed to users via different CDNs which route the videos to the users who view them. As the researchers explain, the use of the unencrypted HTTP protocol instead of HTTPS makes man-in-the-middle attacks possible.
In other words, a hacker can interfere between the CDN and the end users with the ability to read the transferred packets, or even alter them by replacing them with streams from other servers. “Thus, the attacker can broadcast Fake News in a spam video instead of content actually published by a celebrity or to a trusted account.”
To do this, the hacker must first succeed in corrupting the DNS of targeted users by sending them to a fake server that mimics the address of TikTok’s CDNs. This task is obviously not so simple since the hacker will have to access the router of thousands of users to change the DNS settings.
However, it is quite possible that popular DNS such as that of ISPs may be directly hacked to route Internet traffic to malicious servers. In this case, fake videos on TikTok could potentially be broadcast to millions of users.
The researchers published a proof of concept which consisted of distributing false videos on the coronavirus from trusted accounts such as those of the WHO or the British and American Red Cross. They have nevertheless arranged so that only users connected to their own network can see the videos (modification of the DNS parameters of the local network).
According to Mashable, a statement provided states that a TikTok spokesperson said, “TikTok prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate.