Two developers named Tommy Mysk & Talal Haj Bakry have newly discovered a TikTok vulnerability that allows hackers to show fake videos by running ‘man-in-the-middle’ (MitM) attacks in order to compromise accounts. The developers explained that TikTok uses unsecured Content Delivery Networks (CDNs), which can, it appears, be intercepted in order to display fake videos to the user.
Engineers were able to inject a Coronavirus misinformation video on TikTok accounts belonging to genuine bodies such as the World Health Organisation (WHO), the Red Cross, & other such trusted bodies.
Fake videos swapping
This TikTok vulnerability emerged from using unsecured CDN networks in order to deliver content worldwide. The type of content & the need to enhance performance, means that TikTok CDNs transfer data in in unencrypted format over insecure HTTP. Use of this unsecured HTTP allows hackers to ‘sniff’ traffic & then to view the request’s user’s own data. Any router between the TikTok app and TikTok’s CDNs can now easily view the user’s watch history. 3rd parties such as Internet Service Providers, Intelligent agencies, & Public Wi-Fi operators can also look-at this information quite easily.
The content that TikTok transfers, such as pictures and videos, is unfortunately very vulnerable to these types of MitM incursions. Hackers can easily swap videos with fake ones in order to promote scams, misinformation, or indeed hate.
In order to protect apps from MitM attacks, Apple and Google have both created new guidelines that now require all apps to use encrypted HTTPS. These companies, however, still allow the use of HTTP for ‘backward compatibility’. Despite the issues with unsecured HTTP, TikTok for iOS (Version 15.5.6) & TikTok for Android (Version 15.7.4) exclusively use unsecured HTTP for their communication.
In order to show the attack, these independent developers ‘tricked’ the app into connecting to a fake server that impersonated TikTok’s CDN. The fake server then mapped the IP address of TikTok’s server to the fake server run by the developers. Attacks have not yet taken place on the actual TikTok app, a bad actor with access to the routers through which the video-sharing app delivers its content can execute the attack anytime. Says the developers, if a popular DNS server was hacked in order to include a corrupt DNS record, then fake videos could go absolutely viral.
Social media networks are working really hard to combat the sharing of fake videos. Unlike other forms of content, fake videos can spread misinformation very quickly because of the compulsive-viewing type of media content. If a hacker uploaded a fake video onto a really trusted account such as the World Health Organisation (WHO), or Center for Disease Control (CDC), then the damage caused by such a video would be immense.
Fighting fake videos can also very difficult. This is related to the high processing power & advanced algorithm that are needed in order to analyse video content. As the number of videos uploaded daily on TikTok is enormous, it would be a massive task for TikTok to analyse each & every video that has been uploaded.
Problems in US & Chinese connection
The latest discovery of TikTok vulnerability will undermine the app that has been hampered by continuing security problems. Fake video swapping is not the only TikTok vulnerability creating serious concerns. Mysk & Bakry had found another TikTok vulnerability, this time that let the app spy on iPhone users’ clipboard history. Check Point, a cybersecurity firm had discovered a further TikTok vulnerability. This let hackers take control of users’ accounts. US authorities had since raised concerns over TikTok’s security because of its association with the Chinese company, Bytedance. The majority of US Govt. staff are now forbidden to use the app.
TikTok is now the only major app that uses unsecured communication in order to deliver its content. Social media apps e.g. Facebook, Instagram, & Twitter now all strictly use secured HTTPS to communicate between the apps and their CDNs.
Is the clock ticking for TIkTok?