A newly discovered vulnerability in TikTok puts user privacy at risk. According to app developers Tommy Mysk and Talal Haj Bakry, a vulnerability lies in the way TikTok uses HTTP protocol for downloading media content. If exploited, this vulnerability allows hackers to show users fake videos.
New TikTok Vulnerability poses privacy risks
Similar to other popular social media apps, TikTok uses Content Delivery Networks (CDNs) to transfer videos. But TikTok’s CDN transfers these videos over HTTP, which causes the whole issue because as developers warn, hackers can track and alter HTTP traffic.
Mysk has put up a detailed blog post describing how attackers can alter original videos published by TikTok creators, including those having verified accounts:
“Modern apps are expected to preserve the privacy of their users and the integrity of the information they display to them. Apps which use unencrypted HTTP for data transfer cannot guarantee that the data they receive wasn’t monitored or altered.”
To address this issue, iOS 9 introduced App Transport Security, requiring HTTP connections to make use of encrypted HTTPS. Google, on the other hand, made similar security provisions to block all plaintext HTTP traffic starting with Android Pie.
Developers have discovered that a slightly older version of TikTok for Android (version 15.7.4) uses unencrypted HTTP to connect to TikTok’s CDN. Meanwhile, TikTok has rolled out an updated version of the Android app (version 15.7.5).
The same issue persists with TikTok for iOS version 15.5.6. As of writing this, TikTok hasn’t rolled out any update to its iOS app.
We don’t know yet whether the updated version of TikTok for Android has fixed the issue.
Upon monitoring TikTok’s network traffic, developers were able to spot media content being transferred over unencrypted HTTP.
The hack could also reveal the user’s private watch and download history, making data collection seamless and easier. TikTok for Android and iOS apps manage to transfers media content such as videos, profile photos and video still images over unencrypted HTTP.
Man-in-the-middle attack on TikTok possible
Furthermore, it increases the chances of hackers performing a Man-in-the-middle attack on TikTok’s traffic to alter videos.
“While a picture is worth a thousand words, a video is certainly worth more. Thus, the attacker can convey more fake facts in a spam video swapped with a video that belongs to a celebrity or a trusted account.”
Developers successfully hacked into TikTok to tick the app into showing their own videos as if they were published by popular and verified accounts. Watch the video demonstration:
TikTok has around 800 million monthly active users around the world.