TikTok's flaw unearthed by iOS developers who used a simple trick that connected the app to their fake server. allowing them to post fake COVID-19 videos from verified accounts.
Chinese social media app, TikTok, is under scrutiny after a group of developers hacked into the platform to prove its cybersecurity risks and vulnerabilities.
TikTok Not As Safe As You Think
iOS developers, who go by the name of Mysk, used a simple trick to post fake COVID-19 videos from the official TikTok accounts of not just the American Red Cross but also the World Health Organization (WHO) and British Red Cross.
According to the developers, TikTok uses unsecure HTTP server and not the HTTPS server to deliver user content.
They further explain that TikTok's Content Delivery Networks choose to transfer videos and other media over HTTP which improves the data transfer but risks user privacy. It is easy to track HTTP traffic and can also be easily altered by external factors.
Exposing the Risk of Breach
Hackers claim that the hack was intentional to reveal the vulnerabilities of using HTTP and not HTTPS.
After knowing this security flaw, the hackers tricked the social media app to connect to their fake server. Then they created some fake COVID-19 videos and shared them from official TikTok handles of Red Cross.
While this may sound like a dangerous breach, the developers explained that only those connected to their fake servers can view the fake videos.
"However, if a popular DNS server was hacked to include a corrupt DNS record as we showed earlier, misleading information, fake news, or abusive videos would be viewed on a large scale, and this is not completely impossible," it added.
Non-encrypted HTTP Vs HTTPS
The security flaw highlighted by the developers will have an impact on Android version 15.7.4 and iOS version 15.5.6. The developers explain that they only wanted to showcase the dangers of using HTTP over HTTPS, and that too on a popular social media channel.
HTTP can be easily manipulated which allowed them to intercept TikTok traffic and fool the app to show their malicious content as if they were published by the original account users, making it a perfect tool for those who try to publish misleading facts exploiting such vulnerabilities.
The problem of choosing HTTP over secure HTTPS is that it puts user privacy at risk.
The developers explain that any router between TikTok app and TikTok CDNs can easily show the viewing history of the user that can be easily collected by Wi-Fi operators, Internet Service Providers, and Intelligence agencies without much effort.