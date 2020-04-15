The privacy of TikTok users is at risk. That is the complaint made by Mysk Inc, a small software development company whose employees have discovered a vulnerability in the popular mobile video app that would allow an attacker to not only know what videos a user consumes, but also manipulate them.

The key to this security hole would lie in the fact that TikTok, like many other social apps, uses a CDN (Content Delivery Networks) to transfer multimedia content … but this one makes use of insecure HTTP protocol, less and less used before the boom of its successor, HTTPS.

Using HTTP is a problem

The problem with HTTP traffic is that it is possible to trace and alter it, as explained by Tommy Mysk and Talal Haj Bakry, developers of Mysk Inc., “Applications that use unencrypted HTTP for data transfer cannot guarantee that the data they receive was not monitored or altered.”

In fact, monitoring unencrypted network traffic is relatively straightforward If we use apps like Wireshark and, as the experiment conducted by Mysk and Bakry shows, it can reveal the entire download history of the app.

In addition, it facilitates the realization of a ‘man-in-the-middle’ attack (also known as a “broker attack”), which is based on placing an intermediate step between the TikTok server and the user, allowing the data that is delivered to the latter to be intercepted and manipulated.

In the words of Mysk Inc, “any router located between the CDNs and the TikTok app” can reveal that information, such as “public WiFI operators, Internet or VPN providers, or intelligence agencies”.

The traffic of a TikTok user, revealed by the WireShark tool (via Mysk)

This is the ‘change’ to a video

But the big problem that the company denounces is that this kind of attack allows one video to be replaced by another, allowing to attribute false content to a celebrity or an account that is in principle trustworthy, thus giving rise to misleading content.

In their experiment, they created a server that mimicked the behavior of TikTok CDN servers and used it to insert misleading videos about the coronavirus, getting them to appear. attributed to accounts such as the Red Cross, the World Health Organization or TikTok itself.

Manipulated video, in which the statement “Washing hands too often causes skin cancer” appears attributed to the WHO. (Via Mysk).

With the technique used in his experiment, “only users connected to my home router could see malicious content” … but if someone hacked into a popular DNS server, could redirect traffic to a ‘fake’ server in the same way, reaching millions of users.

And now?

Mysk’s experiment was not carried out with the latest version of TikTok for Android (the penultimate version, 15.7.4, was used, although they do not know if the latest update has solved the problem). Instead, yes the latest version available for iOS was used (the 15.5.6).

From Genbeta we have contacted TikTok to know their version of events and what measures they plan to take. When we receive a response, we will include it in this text.