While TikTok is probably the new (well, new-ish) most popular app in the world, it has also gained a form of notoriety, security-wise. Aside from the fact that people are suspicious of its China roots, it’s apparently pretty easy to hack if you know how to do it. Two security researchers and developers were able to inflict a DNS attack on a local network to show the vulnerabilities that the app has when it comes to their delivery system.
In an extensive blog post explaining their findings, Tommy Mysk and Talal Haj Bakry explained why the TikTok delivery system is particularly vulnerable. They use Content Delivery Networks or CDNs to be able to transfer content more effectively. But that also means they use the unencrypted HTTP over the relatively more secure HTTPS. Companies like Apple and Google made HTTPS their default network security configuration but still lets developers opt-out of it for backwards-compatibility.
The developers shared that a router between the app itself and the CDNs will be able to see a user’s watch history. This means that public WiFi operators, ISPs, and intelligence agencies will be able to get this data “without much effort”. Furthermore, it’s susceptible to “man-in-the-middle attacks” where hackers can alter the content while the data is in transmission and replace the real video with a fake one.
They were able to insert a coronavirus misinformation video into the World Health Organization’s TikTok account. They also showed that other accounts like Red Cross and even Tiktok’s own account also have fraudulent uploads on their feed. This isn’t the first time that cybersecurity experts have said that TikTok has a lot of security flaws. To be fair, they have worked to correct previous flaws brought to their attention so hopefully, this new one is something they pay attention to.
If you want to read more about Mysk’s and Bakry’s process, you can read more on their blog post. Meanwhile, if you are on TikTok, make sure you check your own posts every once in a while as someone might have used that vulnerability on you and posted videos you don’t know anything about.