silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
A security weakness in the popular TikTok video-sharing service allows a local attacker to hijack any video content streamed to a user’s TikTok feed and swap it out with hacker-generated content.
Researchers created a proof-of-concept (PoC) hack using a technique called a man-in-the-middle (MiTM) attack against devices running the TikTok app. Video planted in user feeds appear to be legitimate content.
The flaw is that the TikTok app uses insecure HTTP for video content in an effort to improve the speed with which it can transfer data, researchers Talal Haj Bakry and Tommy Mysk asserted in a blog post Monday. However, this lack of protection also allows threat actors to easily identify and alter any HTTP traffic—including videos—flowing over the network, they said.
“Like all social media apps with a large user base, TikTok relies on content delivery networks (CDNs) to distribute their massive data geographically,” Bakry and Mysk wrote. “TikTok’s CDN chooses to transfer videos and other media data over HTTP. …HTTP traffic can be easily tracked, and even altered by malicious actors.”