TikTok Flaw Allows Threat Actors to Plant Forged Videos in User Feeds

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A security weakness in the popular TikTok video-sharing service allows a local attacker to hijack any video content streamed to a user’s TikTok feed and swap it out with hacker-generated content.

Researchers created a proof-of-concept (PoC) hack using a technique called a man-in-the-middle (MiTM) attack against devices running the TikTok app. Video planted in user feeds appear to be legitimate content.

The flaw is that the TikTok app uses insecure HTTP for video content in an effort to improve the speed with which it can transfer data, researchers Talal Haj Bakry and Tommy Mysk asserted in a blog post Monday. However, this lack of protection also allows threat actors to easily identify and alter any HTTP traffic—including videos—flowing over the network, they said.

Like all social media apps with a large user base, TikTok relies on content delivery networks (CDNs) to distribute their massive data geographically,” Bakry and Mysk wrote. “TikTok’s CDN chooses to transfer videos and other media data over HTTP. …HTTP traffic can be easily tracked, and even altered by malicious actors.”
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
It seems like TikTok is the new Zoom, or may be it is the other way round and TikTok's vulnerabilities took a low profile while Zoom's security was shown to be severly lacking. A video platform that doesn't seem to have done all that it could to secure itself before being widely released(HTTP??!!). Or are some developers getting lazy in taking steps to check for vulnerabilities and releasing things with lots of bugs in so that users of the free services act as the equivalent of crash-test dummies? It could be argued that some software developers have taken this approach for a long time, looking at some of the notorious instances of publicly released software that soon looked as if it was still in a pre-beta state.


 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top