According to developers Tommy Mysk and Talal Haj Bakry, a vulnerability they discovered in the popular social network TikTok, could allow to hacker to replace their videos users with fake.
The two developers published their findings in one blog post, stating that some of its practices platform, which are not safe, have created a security vacuum that can be exploited by malicious agents.
Like others applications social media, TikTok uses a CDN (Content Delivery Network) to quickly transfer huge amounts of video and other data through it Internet. However, in the case of TikTok, CDN uses a less secure HTTP connection to improve performance.
It is known that either an intruder, a government or an ISP could easily decrypt HTTP traffic. In this way, a malicious agent could gain access to the videos of a TikTok user, as well as the tracking history and videos it downloads.
Ο assailant it could even replace these videos with fake or video from everyone accounts.
To substantiate their claims, Mysk and Bakry themselves created a proof-of-concept where they uploaded a video of misinformation about him. coronavirus, on the official TikTok account of the World Health Organization (WHO).
The developers fooled the TikTok app from one device who were connected to their home WiFi network to send requests to a custom server designed to mimic TikTok CDNs.
So by taking control of the server that exists between the TikTok application and its CDNs, developers can display and import whatever they want, simply by changing the DNS registration information on the server, making the application redirect to the fake server each time.
However, this does not mean that damage could not be caused. "If a popular DNS server had been compromised to include a malicious video, as we showed earlier, misleading information, fake news or abusive videos would be shown on a large scale and that is something that could be done," they said. developers in their post.
The social network has already attracted the attention of the authorities, mainly due to the fact that its headquarters are in China and there are suspicions that it may collect users' personal data.
Greek
Chinese (Simplified)
English
Greek
Russian