According to the research, with heightened awareness of misinformation and the need to turn to official sources for online advice, the risk that hackers might be able to swap out that information is serious. Well, that’s what a pair of enterprising security researchers have managed to do, exploiting a security weakness with hyper-popular TikTok to plant videos in users’ feeds that appear to come from official sources.
The hack requires access to a user’s router, ISP or VPN, but in many parts of the world that’s easily done by threat actors. And it’s in those parts of the world that a campaign to plant misinformation would be most effective. TikTok has received its fair share of criticism over alleged content censorship in the past, but it has not been accused of manipulating official feeds. This, then, is a major issue.
The issue is TikTok’s continued use of an insecure HTTP connection for the delivery of its video content—this makes it faster and simpler, but also open to interception and manipulation. That’s the reason major platforms and browsers are pushing so hard for a shift to HTTPS. TikTok uses content delivery networks to push content to a global audience now measured in the hundreds of millions. Those CDNs distribute content over HTTP connections to TikTok users. “This can be easily tracked,” the researchers warn, “and even altered by malicious actors.”
The researchers have previous form with TikTok. Talal Haj Bakry and Tommy Mysk reported Apple’s copy/paste issue, whereby any active app can “snoop” on the universal clipboard. TikTok was highlighted as a high-profile example of one such app doing exactly that. For its part, TikTok said the fault was with an outdated version of a Google SDK which is due to be replaced in its next update. If so, that vulnerability will be closed. This latest one, though, remains open.
Apple and Google want all data pushed to users’ phones to be secure. But, as explained by the researchers, the two tech giants “still provide a way for developers to opt-out of HTTPS for backwards-compatibility. However, this should be the exception rather than the rule, and most apps have made the transition to HTTPS.” They warn users that “TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted HTTP to connect to the TikTok CDN.”
This security gap enabled the team to monitor the videos being watched by specific users or IP addresses, and, with control of a user’s access point, to mount a man in the middle attack “to alter the downloaded content.”
The researchers prepared some fake videos, using the newsworthy disinformation surrounding the coronavirus pandemic as their lure. “The circulation of misleading and fake videos in a popular platform such as TikTok poses huge risks,” they said, on disclosing their POC. They then hosted those videos on a server of their own that had been set up to mimic a TikTok CDN. With control of a user’s DNS settings, mimicking what’s possible with control an ISP, potentially impacting millions, “we directed the app to our fake server. Because it impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.”
The message to TikTok from the research team is the same as last time—please urgently address the security risk. “As demonstrated, HTTP opens the door for server impersonation and data manipulation—this makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts. TikTok, a social networking giant with around 800 million monthly active users, must adhere to industry standards in terms of data privacy and protection.”
The integrity of the information we consume has never been more critical than now. Misinformation around coronavirus and 5G, as well as the ongoing political battles between the U.S. and China, has raised the stakes considerably. And with the U.S. election due in November, it has the potential to get worse. This risk is now in the public domain, it can therefore be exploited. It needs fixing and fast.