TikTok videos can be spoofed or swapped with fakes on iOS, Android
Mike PetersonThe TikTok app still downloads some content, including videos, over an unsecured HTTP connection. Image credit: Kon Karampelas
The TikTok app for iOS and Android downloads certain content via an unsecured HTTP connection, leaving videos and other data vulnerable to tampering by hackers.
Developers Talal Haj Bakry and Tommy Mysk have made a habit of researching vulnerabilities in popular apps. In March, the duo found a bug that allowed apps like TikTok to view the contents of an iOS user's clipboard.
Now, Bakry and Mysk are back with new research on the TikTok app, a popular video streaming platform with more than 800 million monthly users. According to network traffic analysis carried out by the duo, the latest versions of the TikTok app still rely on unencrypted HTTP to connect to the company's Content Delivery Network (CDN).
Because the connection is unencrypted, it means a user's video watch history is vulnerable to interception, but the use of HTTP instead of the more secure HTTPS opens the door for more insidious tactics, including man-in-the-middle (MITM) attacks.
A bad actor on a local network could, as an example, swap out any video for a fake one.
As a proof-of-concept, the duo created a fake server that mimics TikTok's CDN servers. They then used MITM techniques to fool the TikTok app into thinking their fraudulent server was legitimate. From there, it was fairly trivial to deliver fake clips.
The duo substituted official Red Cross and World Health Organization clips with ones filled with coronavirus misinformation as an example.
"We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts," the duo wrote. "This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts."
This specific attack does require access to a router's configurations, meaning it's most likely to be exploited by Wi-Fi operators. But the use of HTTP still means that TikTok can be exploited by rogue access points, VPN services, internet service providers and intelligence agencies.
It appears that TikTok only transports certain data via HTTP, including videos, profile photos and still preview images of clips. But videos are, of course, the main and most important feature of the social media platform.
Most online services and websites use HTTPS, which does away with many of the vulnerabilities of its unsecured counterpart. Apple and Google both require apps to use HTTPS connections, but still offer an opt-out option for backward compatibility.
Charles Martin
William Gallagher
Andrew Orr
Malcolm Owen
Christine McKee
Chip Loder
5 Comments
While the research demonstrates a current real world issue on a popular app, the fact that it's Tiktok makes the issue a bit redundant. Tiktok already has an incurable laundry list of issues that extend well beyond technical vulnerabilities. One is just as likely to be served stated-sanctioned propaganda through its legitimate channels, before needing to worry about a complex hijacking of content.
Why doesn’t Apple not require all app data to be encrypted?
Reminds me of the other issue of iOS VPN data not being 100% secure, and Apple saying it’s not a bug.
Seriously who cares. It is an app for making dumb videos and not trading international secrets or bank account information.
Andrew you are so hot. 😍🔥🐻