Tommy Mysk and Haj Bakry who are software developers found a critical flaw in the popular video-sharing TikTok app that allows hackers to modify and swap videos on any TikTok account.
According to the analysis done by software developers, the TikTok app uses insecure HTTP to transfer its data. Because of this, the TikTok app's images and video transfer are unencrypted (in plain text).
TikTok uses CDNs to transfer its data over HTTP. So, if a hacker act as Man-in-the-Middle between the TikTok app and TikTok's CDNs then a hacker can fetch the details of all the videos that a user has watched and downloaded in plain text.
By the Man-in-the-Middle attack, it is possible for an attacker to modify the data in transmission and swap out an original video with a fake one. It is also possible that an attacker can spread spam, fake and misleading information in this way.
The Developers also demonstrated this flaw by setting up a fake CDN server and their TikTok app directed to that fake CDN server. After that, they act as Man-in-the-Middle and upload a coronavirus misinformation video and inject it into WHO's TikTok account and it looks like their own video.
They also verified by doing the same to other TikTok verified accounts like Red Cross and Tiktok's own official account. So, this way attackers can modify and swap videos on any Tiktok account.
If the Tiktok app were using HTTPS then this type of hack would be more difficult to do because of encryption. So, This type of popular app must use HTTPS for everything because of privacy and security.
TikTok's website is using HTTPS for serving up videos but the TikTok app does not. So, it shows that TikTok's CDNs are already well-equipped to handle HTTPS request so the company has to just update its app to bring it into it as well.
Be aware that Android version 15.7.4 of the TikTok app and the iOS version 15.5.6 of the TikTok app have this vulnerability. So, it is advised that stop using the TikTok app until this issue is fixed.
If you have any questions related to TikTok flaw then please mention into the comments box and I will get back to you and stay tuned with my blog.