





3





3 Shares

TikTok Vulnerability Could Allow Upload of Fake Videos

Developers from Mysk Inc. have found an interesting TikTok vulnerability that allows for uploading of fake videos to user accounts.

Detailing their findings in a post, they explained that the bug exists because of TikTok’s data transmission over HTTP. This allows any perpetrator to perform MiTM attacks and meddle with videos and photos of the users. These attacks also pose a threat to verified and popular accounts.

Researchers revealed that TikTok relies on Content Delivery Networks (CDNs) for data distribution which transmits media over HTTP. While that ensures fast speed, it compromises users’ privacy. Anyone can intercept the data being transmitted over the unsecured protocol using tools like Wireshark, including videos, video previews, and profile photos.

Consequently, this vulnerability also allows an attacker to swap these media files on user accounts with fake ones. As the researchers stated,

The attacker can convey more fake facts in a spam video swapped with a video that belongs to a celebrity or a trusted account.

Swapping videos wasn’t so difficult for the researchers. They mimicked the behavior of TikTok CDN servers on their own server and directed the app to it.

Because of this impersonation, the TikTok app couldn’t distinguish between the original and fake servers. Hence, the researchers could easily swap videos on legit user accounts.

The following videos demonstrate how the researchers swapped videos on WHO feed (video 1), and other accounts (video 2).

No Patch Available Yet

TikTok still uses HTTP on both iOS and Android platforms, as confirmed by researchers.

At the time of writing, TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted HTTP to connect to the TikTok CDN.

Thus, for now, no patch is available.

Earlier this year, researchers also found multiple serious vulnerabilities in TikTok that could allow meddling with users’ accounts. However, TikTok patched the flaws following the report.

Let us know your thoughts in the comments.