What you need to know
- TikTok is big. Really big.
- But it isn't without its problems, including security flaws.
- The latest allows bad actors to make fake videos appear as if from trusted accounts.
TikTok is hot right now but it's already had a security scare after it turned out the app could read your iPhone's clipboard without your knowledge. Now things are even worse – people can create fake videos and make them appear as if they came from verified and trusted accounts.
The revelation came after developers Talal Haj Baktry and Tommy Mysk shared details about their escapades in a blog post. The gist is surprisingly simple – TikTok pulls videos from a content delivery network (CDN) via a standard HTTP connection. That means there's no encryption. And that means the whole thing can be spoofed.
Modern apps are expected to preserve the privacy of their users and the integrity of the information they display to them. Apps which use unencrypted HTTP for data transfer cannot guarantee that the data they receive wasn't monitored or altered. This is why Apple introduced App Transport Security in iOS 9, to require all HTTP connections to use encrypted HTTPS. Google has also changed the default network security configuration in Android Pie to block all plaintext HTTP traffic.
But both Apple and Google give developers a way to opt out so they can maintain backward compatibility where needed. But TikTok seems to be using this opt-out option for reasons unknown. By doing that it opens itself up to all kinds of problems by doing so. TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted connections.
After a short session of capturing and analyzing network traffic from the TikTok app with Wireshark, it is hard to miss the large amounts of data transferred over HTTP. If you inspect the network packets closer, you would clearly spot data of videos and images being transferred in the clear and unencrypted.
So the two developers set about creating their own server and pointing their DNS server at it. That meant that any request for one of TikTok's three media servers went to a server that was owned by the developers. And then they went to work.
We prepared a collection of forged videos and hosted them on a server that mimics the behavior of TikTok CDN servers, namely v34.muscdn.com. To make it simple, we only built a scenario that swaps videos. We kept profile photos intact, although they can be similarly altered. We only mimicked the behavior of one video server. This shows a nice mix of fake and real videos and gives users a sense of credibility.
To get the TikTok app to show our forged videos, we need to direct the app to our fake server. Because our fake server impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.
The result? See for yourself.
This threat does require that someone have access to the DNS server your device is using. But that's easier than you might think. Internet Service Providers, unscrupulous VPN companies, governments, and more could all tamper with DNS entries. Especially if you happen to live in certain parts of the world.
The use of HTTP to transfer sensitive data has not gone extinct yet, unfortunately. As demonstrated, HTTP opens the door for server impersonation and data manipulation. We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts.
With "around 800 million monthly active users," TikTok really ought to up its game. And fast.