Developers Tommy Mysk and Talal Haj Bakry have discovered a TikTok vulnerability that allows hackers to show fake videos by executing man-in-the-middle (MitM) attacks. The developers said TikTok uses unsecured Content Delivery Networks (CDNs), which can be intercepted to display fake videos to the end-user. The engineers were able to inject a coronavirus misinformation video on TikTok accounts belonging to reputable bodies such as the World Health Organization, the Red Cross, and other verified accounts.
The nature of TikTok vulnerability for fake videos swapping
The TikTok vulnerability arises from the use of unsecured CDN networks to deliver content around the world. Because of the nature of the content and the need to improve performance, TikTok CDNs transfer data in unencrypted format over insecure HTTP. The use of unsecured HTTP allows hackers to sniff traffic and view the request’s user data. According to the developers, any router between the TikTok app and TikTok’s CDNs can easily view the user’s watch history. Third parties such as Internet Service Providers, Intelligent agencies, and Public Wifi operators can also access this information easily. The nature of content that TikTok transfers, such as pictures and videos, is highly vulnerable to MitM attacks. This makes it easy for hackers to swap videos with fake ones to promote scams, misinformation, or hate.
To protect apps from MitM attacks, Apple and Google have created new guidelines that require all apps to use encrypted HTTPS. The two companies, however, still allow the use of HTTP for backward compatibility. Despite the known issues with unsecured HTTP, TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) exclusively use unsecured HTTP for communication.
TikTok vulnerability attack simulation
To demonstrate the attack, the independent developers tricked the app into connecting to a fake server that impersonated TikTok’s CDN. The fake server mapped the IP address of TikTok’s server to the fake server run by the developers. Although the attacks have not yet taken place on the actual TikTok app, a malicious actor with access to the routers through which the video-sharing app delivers its content can execute the attack at any moment. According to the developers, if a popular DNS server was hacked to include a corrupt DNS record, the fake videos would go viral.
Most social media networks are working hard to fight against the sharing of fake videos. Unlike other forms of content, fake videos can spread misinformation rapidly because of the attention-grabbing nature of rich media content. If a hacker uploaded a fake video on a trusted account such as the World Health Organization, the damage caused by such a video would be immense. Fighting fake videos is also tricky because of the high processing power and advanced algorithm needed to analyze video content. With the number of videos uploaded each day on TikTok, it would be a non-trivial undertaking for TikTok to analyze each video upload.
TikTok problems with U.S. authorities over security
The latest discovery of TikTok vulnerability will undermine the app that has been plagued by security concerns. Fake video swapping is not the only TikTok vulnerability raising concerns. Mysk and Bakry had discovered another TikTok vulnerability that allowed the app to spy on iPhone users’ clipboard history. Check Point, a cybersecurity firm had discovered yet another TikTok vulnerability that allowed hackers to take control of users’ accounts. U.S. authorities had since registered concerns over TikTok’s security because of its association with a Chinese company, Bytedance. Most U.S. government employees are not allowed to use the app.
TikTok is the only major app to use unsecured communication to deliver its content. Other social media apps such as Facebook, Instagram, and Twitter strictly use secured HTTPS to communicate between the apps and their CDNs.