Developers Tommy Mysk and Talal Haj Bakry have discovered a new vulnerability in TikTok that makes it possible to post videos on the platform using third party profiles without authorization. With a simple trick, they managed to publicize fake recordings even on the World Health Organization (WHO) account on the app.
According to them, the problem lies in the unencrypted HTTP protocol used by the application to obtain media content, instead of HTTPS, which is much more secure. In this way, there is a gain in the performance of data transfer, however the lack of encryption leaves users’ information at risk.
By exploiting this flaw with a DNS attack on a local network, security researchers were able to alter the original content of the posts and replace the real videos of the chosen users with fake ones. In the video below, published by them, it is possible to see the recording of the recordings in the WHO account.
The good news is that the replacement of the videos occurred only on the home network that suffered the attack, not affecting the TikTok server. That is, only those who were connected to that router saw the changes made by Mysk and Bakry, as revealed on the duo’s official blog.
Failure can be exploited on a larger scale
The videos they posted, replacing the original content, contained false information about the new coronavirus. In addition to the official WHO account, they were able to replace other verified profiles on the platform, such as the American Red Cross, the United Kingdom’s Red Cross and even the official TikTok profile.
If accessed by more users outside the network used to demonstrate the flaw, the videos could leave many people in doubt about covid-19. And for that to happen, it is enough that the vulnerability is exploited by cybercriminals on a larger scale, according to the developers, by invading popular DNS servers.
To avoid something like that, the researchers suggest that TikTok update the technology for transferring confidential data, adhering to industry standards in terms of privacy and data protection, increasing security for the more than 800 million users of the platform.