After a pair of developers discovered a security vulnerability that would allow hackers to swap fake videos into a TikTok users’ feed, the social media company said it’s rolling out more secure connections for all of its users.
The hack preys on TikTok’s use of basic unencrypted HTTP connections in some regions to distribute media through its content delivery networks. Software developers Tommy Mysk and Talal Haj Bakry found that this security gap made it easy for them to insert their own fake videos into the TikTok feeds during the connection.
In response, TikTok told Digital Trends it is rolling out the most secure HTTPS connection to all of its regions.
“TikTok prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate,” a spokesperson told Digital Trends.
TikTok’s network in the U.S. already uses HTTPS, which means that when you look at TikTok in the U.S., no one can read the data that is streaming between your phone and TikTok’s database.
The developers who found the vulnerability were able to make videos showing false claims about the coronavirus appear on a user’s feed. They were even able to impersonate other users.
We tricked #TikTok to connect to our fake server. We hijacked the timeline so the app shows spam videos about #COVID19#Security #Cybersecurity #Hacking
For more on this: https://t.co/0e7RGyleIW pic.twitter.com/49BbkYbunq— Mysk 🇨🇦🇩🇪 (@mysk_co) April 13, 2020
Because the server that the developers access is unencrypted, it’s easy to make a fake server that acts in the same way as TikTok’s, and fool the phone into displaying a fake video with incorrect information.
“This is why using HTTP is dangerous and should be considered a cybercrime nowadays,” Mysk told Digital Trends. “This is why our industry introduced HTTPS — S stands for secure. It does exactly what HTTP does but the communication is encrypted. It is hard, very hard, to impersonate servers.”
HTTPS isn’t 100% unbreakable. However, there’s a consensus to use HTTPS for transporting data that’s considered important for the safety of communities. Videos from @WHO and @RedCross must be handled as sensitive data.
Who knows! Maybe this blunder’s caused the #ToiletPaperPanic— Tommy Mysk (@tommymysk) April 14, 2020
The effect is network-based: Mysk told Digital Trends he could trick a Wi-Fi or data network to redirect to his fake TikTok server, but it would revert to the real server once a user left the network.
This, however, could still be a problem if hackers found their way into a large network, such as a major cell or internet service provider. That bad actor could redirect the traffic of everyone using that network to their own ends.
Or if a government is controlling the internet, the regime could use this method to basically erase TikTok videos, the developers said.
The World Health Organization has partnered with TikTok to help mitigate the spread of misinformation, and in January, TikTok amended its community guidelines to say that they would be removing all “misleading” content from the platform.
