What you need to know
- TikTok is big. Really big.
- But it isn't without its problems, including security flaws.
- The latest allows bad actors to make fake videos appear as if from trusted accounts.
TikTok is hot right now but it's already had a security scare after it turned out the app could read your iPhone's clipboard without your knowledge. Now things are even worse – people can create fake videos and make them appear as if they came from verified and trusted accounts.
The revelation came after developers Talal Haj Baktry and Tommy Mysk shared details about their escapades in a blog post. The gist is surprisingly simple – TikTok pulls videos from a content delivery network (CDN) via a standard HTTP connection. That means there's no encryption. And that means the whole thing can be spoofed.
Modern apps are expected to preserve the privacy of their users and the integrity of the information they display to them. Apps which use unencrypted HTTP for data transfer cannot guarantee that the data they receive wasn't monitored or altered. This is why Apple introduced App Transport Security in iOS 9, to require all HTTP connections to use encrypted HTTPS. Google has also changed the default network security configuration in Android Pie to block all plaintext HTTP traffic.
But both Apple and Google give developers a way to opt out so they can maintain backward compatibility where needed. But TikTok seems to be using this opt-out option for reasons unknown. By doing that it opens itself up to all kinds of problems by doing so. TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted connections.
After a short session of capturing and analyzing network traffic from the TikTok app with Wireshark, it is hard to miss the large amounts of data transferred over HTTP. If you inspect the network packets closer, you would clearly spot data of videos and images being transferred in the clear and unencrypted.
So the two developers set about creating their own server and pointing their DNS server at it. That meant that any request for one of TikTok's three media servers went to a server that was owned by the developers. And then they went to work.
We prepared a collection of forged videos and hosted them on a server that mimics the behavior of TikTok CDN servers, namely v34.muscdn.com. To make it simple, we only built a scenario that swaps videos. We kept profile photos intact, although they can be similarly altered. We only mimicked the behavior of one video server. This shows a nice mix of fake and real videos and gives users a sense of credibility.
To get the TikTok app to show our forged videos, we need to direct the app to our fake server. Because our fake server impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.
The result? See for yourself.
This threat does require that someone have access to the DNS server your device is using. But that's easier than you might think. Internet Service Providers, unscrupulous VPN companies, governments, and more could all tamper with DNS entries. Especially if you happen to live in certain parts of the world.
The use of HTTP to transfer sensitive data has not gone extinct yet, unfortunately. As demonstrated, HTTP opens the door for server impersonation and data manipulation. We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts.
With "around 800 million monthly active users," TikTok really ought to up its game. And fast.
Pablo Escobar's brother sues Apple for $2.6 billion over iPhone security
Roberto Escobar, brother of Pablo, is suing Apple over claims someone hacked his iPhone using a FaceTime vulnerability, finding his address in the process.
Apple loses number one tablet spot to Huawei in China
Despite a surge in demand for tablets, shipments in China fell by 30% in the first quarter of 2020, and Apple lost its top spot to Huawei.
Apple's Sydney store to reopen May 28
Apple's newly-renovated flagship store on George St. in Sydney will reopen from Thursday, May 28, in line with social distancing guidelines and for limited hours.
Webcam hacking is real, but you can protect yourself with a privacy cover
Worried people might be looking in through your webcam on your MacBook? No worries! Here are some great privacy covers that will protect your privacy.