In their demonstration, researchers showed how they published fake COVID-19 videos from WHO and TikTok’s official accounts.
An alarming trend that we have observed lately, especially in such trying times when millions around the world are forced to stay indoors, is that the more popular an app is the higher will be the security risks. Last week, we reported about Zoom having serious security issues and now there are reports that the widely popular Chinese social networking platform TikTok has inherent security flaws.
Two iOS developers referred to as Mysk have demonstrated how easy it is to trick TikTok into connecting to a fake server, which obviously could have devastating consequences if it had happened. The developers hacked TikTok only to prove that the app wasn’t as safe and flawless as it is projected to be.
See: TikTok vulnerability allowed hackers to send SMS with malware
The reason is that instead of using HTTPS, TikTok uses HTTP to retrieve media content from the CDNs (Content Delivery Networks) of the company, which isn’t a safe practice because HTTP traffic is easier to monitor and track.
HTTPS is safer because it can encrypt data while transferring it but HTTP doesn’t do so, despite that it improves the data transferring efficiency. This feature helped the developers to switch the videos uploaded by TikTok users with their misleading videos offering inaccurate information about COVID-19.
They posted these videos on TikTok handles of credible and verified services such as the WHO (World Health Organization), TikTok’s official account and the British and American Red Cross.
In their blog post, researchers explained that:
We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts.
Here are three screenshots combined showing what the researchers posted from the hacked TikTok accounts:
They pulled this off through launching a DNS attack on the local network. However, none of the users on TikTok could check out these videos because the developers had only posted them through their fake server, and only those connected to their network could access them.
However, through this trick, the developers proved how easy it is to manipulate data on such a popular platform. The issue was identified in TikTok’s Android version 15.7.4 and iOS version 15.5.6.