Tuesday, January 26, 02:21
Home security TikTok vulnerability allows hackers to replace viral video

TikTok vulnerability allows hackers to replace viral video


According to developers Tommy Mysk and Talal Haj Bakry, a vulnerability they discovered in the popular social network TikTok, could allow to hacker to replace their videos users with fake.

The two developers published their findings in one blog post, stating that some of its practices platform, which are not safe, have created a security vacuum that can be exploited by malicious agents. 

Like others applications social media, TikTok uses a CDN (Content Delivery Network) to quickly transfer huge amounts of video and other data through it Internet. However, in the case of TikTok, CDN uses a less secure HTTP connection to improve performance.

It is known that either an intruder, a government or an ISP could easily decrypt HTTP traffic. In this way, a malicious agent could gain access to the videos of a TikTok user, as well as the tracking history and videos it downloads.

Ο assailant it could even replace these videos with fake or video from everyone accounts.

To substantiate their claims, Mysk and Bakry themselves created a proof-of-concept where they uploaded a video of misinformation about him. coronavirus, on the official TikTok account of the World Health Organization (WHO).

The developers fooled the TikTok app from one device who were connected to their home WiFi network to send requests to a custom server designed to mimic TikTok CDNs.

So by taking control of the server that exists between the TikTok application and its CDNs, developers can display and import whatever they want, simply by changing the DNS registration information on the server, making the application redirect to the fake server each time.

However, this does not mean that damage could not be caused. "If a popular DNS server had been compromised to include a malicious video, as we showed earlier, misleading information, fake news or abusive videos would be shown on a large scale and that is something that could be done," they said. developers in their post.

The social network has already attracted the attention of the authorities, mainly due to the fact that its headquarters are in China and there are suspicions that it may collect users' personal data.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Miahttps://www.secnews.gr
Being your self, in a world that constantly tries to change you, is your greatest achievement



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...