Network security experts Tommy Mysk and Talal Haj Bakry discovered a vulnerability in the extremely popular TikTok service, which recently surpassed the 1 billion download mark on the Google Play Store.
This vulnerability allows cybercriminals to replace and delete videos in other users’ accounts. They posted a fake video about COVID-19 in several popular TikTok accounts, including the official World Health Organization (WHO) account.
Tommy Misk and Talal Hajj Bakri explain the social network TikTok uses unencrypted HTTP protocol instead of more secure HTTPS. Because of this, owners of public Wi-Fi networks, Internet providers, and government services may receive browsing history for all TikTok users.
Due to the use of the HTTP protocol, the social network is easily susceptible to hacker attacks. The authors of the study were able to change the content and replace the real user videos with fake ones by conducting a DNS attack on the network. After that, they posted a video demonstrating how they put a video with false information into a verified WHO account.
It is worth noting that the developers did not replace the video on the TikTok server, they did it for demonstration only on the home network. This means that only those users who use their router will see the changes. However, researchers believe that the vulnerability can be exploited on a larger scale.