TikTok has been exploding in popularity in recent years. As we have seen with Zoom, no matter how popular a platform is, there are bound to be security issues. The latest TikTok flaw surfaced online after two iOS developers used a simple hack to trick the app into connecting to their fake server.
This was possible because TikTok uses HTTP instead of HTTPS to pull in media content from the company’s Content Delivery Networks (CDNs). Using HTTP improves data transfer performance, but the lack of encryption puts users at risk. The developers — known collectively as Mysk — were able to leverage this to switch videos published by TikTok users with different videos via a DNS attack on a local network.
As seen in the video above, Mysk created videos that shared false COVID-19 information on several popular and verified accounts on the platform. This includes the World Health Organization, the British and American Red Cross, and even the official TikTok account.
Thankfully, only users directly connected to the developers’ server were affected. No one outside of the network saw these fake videos. On the other hand, Mysk had no malicious intent and only highlighted that the attack is possible. It wouldn’t be too difficult for a bad actor to use this method to attack users on a much larger scale.
This won’t be the only issue to arise from this if TikTok doesn’t change its encryption. There are plenty of known and well-documented HTTP vulnerabilities that the platform will suffer from if it doesn’t switch to HTTPS.
At the time of publication, the issue affects the Android app version 15.7.4 and iOS app version 15.5.6. You can read more details about how Mysk performed the TikTok hack over on its website.