TikTok, the popular short video sharing application, is once again under the limelight for all the wrong reasons. A new flaw has exposed that allows hackers to post fake videos on user’s account. The latest vulnerability is present on TikTok’s iOS version 15.5.6 and Android version 15.7.4.
According to two developers, Talal Haj Bakry and Tommy Mysk, TikTok uses insecure HTTP to download media content. This puts user privacy at risk as the HTTP traffic can be easily tracked and hackers can easily alter it by malicious actors.
The developers say that TikTok relies on Content Delivery Networks (CDNs) to distribute their data geographically over HTTP. Although it improves the performance of data transfer, it puts user privacy at risk.
“Any router between the TikTok App and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history. Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort,” the developers said in a blog post.
The developers said that they created fake servers to mimics the behaviour of TikTok CDN servers. In order to show forged or fake videos, the developers simply directed the app to the fake server. The report says that the fake server then picks a forged video and return it to the app and it plays like a real video.
The developers showed a demo of the same by planting a fake COVID-19 related content on WHO’s TikTok account. “We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the Internet with misleading facts,” the developers said.
The report highlights that users connected to developers home routers were able to see the malicious content planted by them. “However, if a popular DNS server was hacked to include a corrupt DNS record as we showed earlier, misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers said.