Two developers have published a video exposing how a basic security flaw present in TikTok makes it vulnerable to old fashioned "man-in-the-middle" attacks. Such attacks would allow a hacker to see a TikTok user's viewing history and even swap out videos in the feed with different ones of their choosing, with the user being none the wiser.
The hacks are possible for one simple reason: TikTok delivers much of the data from its servers over unsecured HTTP connections rather than encrypted HTTPS. This means anyone who can see the network traffic passing through a Wi-Fi router could read information coming from TikTok's servers and modify it. Exploiting the vulnerability, the developer duo created a fake server that looked identical to TikTok's and then fooled the app into thinking their server was the legitimate one.
"TikTok prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate," a spokesperson for the company told Input.
Complicated, but clever — In TikTok's defense, this vulnerability isn't easy to exploit. The hacker needs root access to the network TikTok is being accessed over, such as your home Wi-Fi router. But as AppleInsider notes, any rogue Wi-Fi operator, internet service provider, or even government intelligence agency could theoretically intercept TikTok's traffic and change the content you're seeing. In a video demonstration, the developers managed to replace legitimate COVID-19 content from the World Health Organization with a fake video stating that the virus is a hoax. It still appeared as if the video was coming from the official WHO account.
"We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts," they wrote. "This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts."
The two published an article outlining exactly how the exploit works. To explain it briefly: DNS records are publicly available records that map a domain name, like tiktok.com, to the specific IP address where the site is hosted. Whenever you type a domain name into your browser it first visits a DNS server somewhere in the world to look up what server you're trying to connect to, like an address book. So what the team did was create a fake DNS server with a record pointing the URL for TikTok's videos to an IP address for the team's own rogue servers. They then told the Wi-Fi router to use that corrupt DNS server for looking up websites. And with that, they were able to get the TikTok app pulling videos from their rogue server instead of the real one. They intercepted TikTok in the middle.
HTTPS is table stakes — The poor security of TikTok is particularly concerning considering the U.S. government's interest in its connection to China — the company is owned by Beijing-based ByteDance. There's long been concern about TikTok being used to distribute propaganda to impressionable teens.
Is TikTok the biggest misinformation threat out there today? No, it's mostly an entertainment app. But still, most internet services nowadays use HTTPS because it's easy to implement and encrypts all traffic passing through internet networks. Such security would require the TikTok app and its servers to share a pair of keys for encrypting and decrypting traffic that only they know. The rogue server wouldn't have the proper keys. It wouldn't be able to trick the app into thinking it's legitimate without such keys.
Both Google and Apple require apps on their platforms to use HTTPS encryption but with some exceptions, which TikTok is taking advantage of.
Another Chinese company, Huawei, has similarly come under fire for poor security. It's not clear if that company's vulnerabilities were intentionally left there to help the Chinese government gain access as some have speculated, but considering the White House's existing paranoia around China, it has only helped to increase tension.