A group of cybersecurity researchers have uncovered a disturbing TikTok security gap that could enable hackers to easily spread videos with misinformation that appear to come from official accounts. By simply gaining access to a user’s VPN, IP address, or router, a hacker can intercept the platform’s delivery systems to replace a user’s videos with their own.
What’s the problem?
Despite repeated appeals from Google and Apple to update to secure browsing systems (HTTPS), TikTok has instead opted for unencrypted (HTTP) delivery systems because of their easier, faster delivery.
The issue is TikTok’s continued use of an insecure HTTP connection for the delivery of its video content—this makes it faster and simpler, but also open to interception and manipulation. That’s the reason major platforms and browsers are pushing so hard for a shift to HTTPS. TikTok uses content delivery networks to push content to a global audience now measured in the hundreds of millions. Those CDNs distribute content over HTTP connections to TikTok users. “This can be easily tracked,” the researchers warn, “and even altered by malicious actors.”
This security flaw allows hackers to track what videos are being used by certain accounts or IP addresses, and intercept and change them by using a fake server. Forbes tells us:
This security gap enabled the team to monitor the videos being watched by specific users or IP addresses, and, with control of a user’s access point, to mount a man in the middle attack “to alter the downloaded content.”
The researchers prepared some fake videos, using the newsworthy disinformation surrounding the coronavirus pandemic as their lure… They then hosted those videos on a server of their own that had been set up to mimic a TikTok CDN. With control of a user’s DNS settings, mimicking what’s possible with control of an ISP, potentially impacting millions… they said… “we directed the app to our fake server. Because it impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.”
In an era when the spread of misinformation has become a growing concern amidst the risks of the coronavirus, this security issue is even more troubling.