The two developers published their findings in one blog post, stating that some of its practices platform, which are not safe, have created a security vacuum that can be exploited by malicious agents.
Like others applications social media, TikTok uses a CDN (Content Delivery Network) to quickly transfer huge amounts of video and other data through it Internet. However, in the case of TikTok, CDN uses a less secure HTTP connection to improve performance.
It is known that either an intruder, a government or an ISP could easily decrypt HTTP traffic. In this way, a malicious agent could gain access to the videos of a TikTok user, as well as the tracking history and videos it downloads.
To substantiate their claims, Mysk and Bakry themselves created a proof-of-concept where they uploaded a video of misinformation about him. coronavirus, on the official TikTok account of the World Health Organization (WHO).
So by taking control of the server that exists between the TikTok application and its CDNs, developers can display and import whatever they want, simply by changing the DNS registration information on the server, making the application redirect to the fake server each time.
However, this does not mean that damage could not be caused. "If a popular DNS server had been compromised to include a malicious video, as we showed earlier, misleading information, fake news or abusive videos would be shown on a large scale and that is something that could be done," they said. developers in their post.
The social network has already attracted the attention of the authorities, mainly due to the fact that its headquarters are in China and there are suspicions that it may collect users' personal data.