Any hacker can steal and replace your viral TikTok videos with fake videos using a vulnerability
TikTok has emerged as a very popular social media tool among the current Millenials. As of this week, it was the top downloaded App on Google Playstore. The ease of uploading your 6 sec videos on TikTok and inexpensive data charges means that even remotely located users are uploading their videos.
However, there is a severe vulnerability in the TikTok App for Android smartphones. The vulnerability was discovered by developers Tommy Mysk and Talal Haj Bakry and can be used by hackers to hack into your TikTok account and steal your viral videos. Furthermore, they can also replace your hit videos with fake ones.
The developer duo has published their findings in a blog post where they explain how hackers can gain access to your TikTok account. The biggest weakness of TikTok is that it uses insecure HTTP to download media content. Like all social media apps with a large userbase, TikTok relies on Content Delivery Networks (CDNs) to distribute their massive data geographically. TikTok’s CDN chooses to transfer videos and other media data over HTTP. While this improves the performance of data transfer, it puts user privacy at risk.
If you know the basics of hacking or web traffic, you can easily track and hack the non-secure HTTP traffic. Hackers use what is called the Man-in-The-Middle (MiTM) to access the traffic between your TikTok App, the ISP and the CDN As a result, an unwanted person can access your entire TikTok video collection. The MiTM allows the hacker to even replace your viral videos with fake ones.
Proof of Concept (PoC) video
To support their claims, Mysk and Bakry created a PoC video where they inserted a coronavirus misinformation video into the official TikTok account of the World Health Organization (WHO).
The developers did not make any changes to TokTok’s official servers hence the video didn’t go viral. What the developers did was to fool the TikTok app into sending requests to their custom server designed to mimic TikTok’s CDNs using MiTM attack.
“If a popular DNS server was hacked to include a corrupt DNS record as we showed earlier, misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible,” the developers explained in their post.
Most video uploader apps use HTTPS connections between them, the App and the CDN. Using HTTPS makes it impossible for hackers or anybody else to penetrate the secure lines between the App, the CDN and the company servers. YouTube, Instagram, Facebook all have their traffic was passing through HTTPS connections. “They have ZERO HTTP traces. They transfer all of their data using HTTPS,” he told Mashable.
The researcher duo showed how easy it was for any hacker or any coder with a little web network knowledge can easily steal your TikTok videos and replace them their own videos.