In the social media age, see how ‘TikTok’ has left its user privacy and data vulnerable. Hackers are Manipulating Your TIKTOK Videos for Fake Content using a simple trick.
Tiktok is emerging as the new darling of the social media world. You may love it or hate it, but definitely can’t ignore this viral phenomenon. From Gen Z to millennials to even celebrities are signing up to be a part of Tiktok Community. But since its launch, the app has been surrounded by many controversies revolving mainly around user privacy and data security. Some recent examples include parental concerns, Chinese origin debate, text messages scam and many more. Though the youth and social media addicted population may not care about such news, the cybersecurity experts are backing this claim with new research every month.
Earlier in January, 2020 a cybersecurity firm, CheckPoint uncovered a grave risk for TikTok users where cyber-crooks found a way to access user personal and post data. This security flaw included:
- Access user personal details like email, date of birth, address etc.
- Access to user posts/ content and ability to:
- Switch private videos to public
- Swap existing/ new videos with fake ones
- Leak your content to X-rated sites
This issue was then reported to ByteDance, TikTok’s parent company, who soon fixed it in their next update.
Later, App Developers Tommy Mysk and Talal Haj Bakry published a paper unfolding yet another TikTok risk for iOS users that enabled the app to spy on iPhone and iPad clipboard.
Now with Coronavirus global lockdown, the app is currently thriving with maximum user engagement. But this activity is not just limited to normal profile holders, the trending platform has attracted hackers too. The developer duo, Mysk and Bakry, have discovered yet another Tiktok vulnerability where hackers are swapping user videos with fake content.
How TikTok Videos Are Getting Hacked? – For Beginners
Tiktok has done pretty well for itself in a span of two and half years, garnering over 1 billion active users in 150 markets and 70+ languages worldwide. That’s why these ongoing risks to the App’s security should be an alarming concern for users who are busy going about making viral videos every day.
Mysk and Bakry recently conducted a research and established that hackers have found a backdoor in the application’s architecture. They point out that like most social networks TikTok uses Content Delivery Networks (CDNs) for better storage and functioning of abundant media files. But they choose to transfer the video and other files over HTTP instead of HTTPS. For those who aren’t technically aware of the difference, HTTPS uses encryption for any requests and responses, while HTTP doesn’t. In simpler terms, HTTPS is 100 times more secure than the latter.
So why exactly has TikTok opted for this unreliable protocol? Well, mainly because HTTP provides a faster data transfer and speed performance. But is it worth putting your users’ privacy in jeopardy? We certainly don’t think so.
How to Hack TikTok? – Deep Analysis
Analyzing the shortcomings of HTTP and how it provides an unsafe route for file transfer, it becomes pretty easy to swap the load. All it takes is a common shared Router! A router is the general reference point between the App and CDNs in this scenario. This gives complete data access to anyone who has control of your router directly or indirectly. Typically, the main direct parties who can be involved are:
- Public Wi-Fi Operators
- Internet Service Providers (ISPs)
- VPN Providers
- Intelligence/ Federal Agencies (depending on your country policies)
- Hackers (obviously)
This kind of manipulation is known as ‘Man-in-the-Middle’ (MITM) Attack where the content is altered during transmission. So imagine this, you are uploading a lip-sync video to the latest pop-anthem, but what gets posted is a fake public announcement. What, How, When… Well, you just got HACKED!!!
Swapping TikTok Videos Hack – Technical Methodology
The Man-in-the-Middle trick in the current scenario requires a multi-level hack. For this the researcher duo analyzed Tiktok’s network traffic through Wireshark and found that the videos are downloaded from MUSCDN.com with multiple sub-domains following a similar pattern. One of which is http://v34.muscdn.com (This particular server was used for the purposes of the research).
- First and foremost, they created a mirror server of TikTok CDN server http://v34.muscdn.com
- Then, on their fake server they uploaded fake videos which they wanted to circulate
- Next, they exploited the target’s local router to write the DNS record for http://v34.muscdn.com and pointing the IP to their fake server
- By now we’re already familiar where the swapping occurs
In their own words “Our fake server impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.”
- Mysk and Bakry also had access to the profile pictures and still images folders, but left that out of this experiment.
- This research was also carried out on Facebook, Twitter, Instagram, Snapchat and Youtube. But they passed in flying colors with 0% HTTP traces.
Hacking TikTok – Demonstration
The above video is the proof demonstration behind this TikTok vulnerability by the researchers – Mysk and Bakry. To prove their hypothesis, they choose to make a statement by hacking into the verified accounts of:
- World Health Organization (WHO) – @who
- American Red Cross – @americanredcross
- British Red Cross – @britishredcross
- TikTok – @tiktok
- Loren Gray – @lorengray
- Dalia – @dalia
They used the same exact process to upload a fraudulent video with misleading information/ facts about COVID-19.
How to Secure Your TikTok Account?
The fame and popularity of this social networking giant seems to have aggravated cyber-attackers for their personal fun and maybe publicity. But you don’t have to fall prey to this hack. Here are a few precautions you can take to keep a check your your TikTok data privacy:
- Always keep your app up-to-date, in case TikTok has identified and fixed any latest issues
- Avoid using public networks. Prefer connecting to your home/ trusted wi-fi or mobile data
- Secure your personal network with strong encryption keys
We hope you got aware and smart about TikTok after reading our article. To go through the full detailed article from Mysk and Bakry themselves, click here.
Please comment below, which topic do you want us to cover next.