For those unaware, TikTok app is a popular video streaming platform with more than 800 million monthly users. According to the researchers, the latest versions of the TikTok app still uses the company’s Content Delivery Network (CDN) to pull videos, which has insecure hypertext transfer protocol (HTTP) or no encryption instead of the encrypted hypertext transfer protocol secure (HTTPS) protocol. This means that a man-in-the-middle (MITM) attack can hijack and alter the data that’s being shared between the user and TikTok’s CDN. “Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history,” wrote Mysk and Bakry in a blog post. “Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort.” As a proof-of-concept (POC), the duo prepared a collection of forged videos and hosted them on a server that mimics the behavior of TikTok CDN servers. They then used MITM methods to trick the TikTok app to believe that the fake server was legitimate. “To get the TikTok app to show our forged videos, we need to direct the app to our fake server. Because our fake server impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it,” the duo wrote. The researchers were able to change the content and replace the World Health Organization (WHO) coronavirus (COVID-19) videos with fake ones by inserting them into official TikTok account of WHO.
“The use of HTTP to transfer sensitive data has not gone extinct yet, unfortunately. As demonstrated, HTTP opens the door for server impersonation and data manipulation. We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts,” the duo wrote. Thankfully, only users directly connected to the developers’ fake server were affected and no change was made to TitTok’s official servers. However, this doesn’t mean that a malicious actor couldn’t use this method to cause damage. “If a popular DNS server was hacked to include a corrupt DNS record as we showed earlier, misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the duo explained. Developer Mysk also tested the traffic of TikTok’s high-profile competitors like Facebook, Instagram, YouTube, Twitter, and Snapchat. He discovered that they transfer all of their data using HTTPS. “I just tested them all: Facebook, Instagram, YouTube, Twitter, Snapchat” Mysk told Mashable. “They have ZERO HTTP traces. They transfer all of their data using HTTPS.” Apple and Google both require all HTTP connections to use encrypted HTTPS. However, it does allow developers to opt-out of HTTPS for backwards-compatibility as an exception. Currently, the vulnerability affects the TikTok Android app version 15.7.4 and iOS app version 15.5.6 and there is no patch available as of now. To know more about how Mysk performed the TikTok hack, you can head to its website.