The Security researchers Tommy Mysk and Talal Haj Bakry have discovered a vulnerability in TikTok that could allow hackers to post videos on behalf of others. They have published videos in several popular accounts on TikTok, including the official WHO account. A fake video about the coronavirus COVID-19 has appeared on the World Health Organization account.
The problem is that the social network uses unencrypted HTTP protocol instead of more secure HTTPS. Because of this, owners of public Wi-Fi networks, internet providers and government services can receive browsing history for any TikTok users, the researchers note.
Due to the use of the HTTP protocol, the social network lends itself to hackers’ attacks. Researchers were able to change the content and replace the user’s real videos with fake ones by conducting a DNS attack on the network. After that, they published a video demonstrating how they put the video with the false information into the verified account of WHO.
Fake coronavirus videos on the WHO account
The developers did not replace the videos on the TikTok server, but only on the home network. This means that only those users who use their router will see the changes. However, researchers believe that the vulnerability can be exploited on a larger scale. Because hackers can break into the popular DNS servers.
In early 2020, Check Point has discovered a vulnerability that allowed hackers to manage other people’s accounts on TikTok. Later, the team of Mysk and Bakri found a security problem in TikTok that provided access to the clipboard on the iPhone.
The use of HTTP to transfer sensitive data has not gone extinct yet, unfortunately. As demonstrated, HTTP opens the door for server impersonation and data manipulation. We successfully intercepted TikTok traffic. In addition, we fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts. TikTok, a social networking giant with around 800 million monthly active users. They must adhere to industry standards in terms of data privacy and protection”. Said the researchers.