TikTok videos can be spoofed or swapped with fakes on iOS, Android

By Mike Peterson

The TikTok app for iOS and Android downloads certain content via an unsecured HTTP connection, leaving videos and other data vulnerable to tampering by hackers.

The TikTok app still downloads some content, including videos, over an unsecured HTTP connection. Image credit: Kon Karampelas

Developers Talal Haj Bakry and Tommy Mysk have made a habit of researching vulnerabilities in popular apps. In March, the duo found a bug that allowed apps like TikTok to view the contents of an iOS user's clipboard.

Now, Bakry and Mysk are back with new research on the TikTok app, a popular video streaming platform with more than 800 million monthly users. According to network traffic analysis carried out by the duo, the latest versions of the TikTok app still rely on unencrypted HTTP to connect to the company's Content Delivery Network (CDN).

Because the connection is unencrypted, it means a user's video watch history is vulnerable to interception, but the use of HTTP instead of the more secure HTTPS opens the door for more insidious tactics, including man-in-the-middle (MITM) attacks.

A bad actor on a local network could, as an example, swap out any video for a fake one.

As a proof-of-concept, the duo created a fake server that mimics TikTok's CDN servers. They then used MITM techniques to fool the TikTok app into thinking their fraudulent server was legitimate. From there, it was fairly trivial to deliver fake clips.

The duo substituted official Red Cross and World Health Organization clips with ones filled with coronavirus misinformation as an example.

"We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts," the duo wrote. "This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts."

This specific attack does require access to a router's configurations, meaning it's most likely to be exploited by Wi-Fi operators. But the use of HTTP still means that TikTok can be exploited by rogue access points, VPN services, internet service providers and intelligence agencies.

It appears that TikTok only transports certain data via HTTP, including videos, profile photos and still preview images of clips. But videos are, of course, the main and most important feature of the social media platform.

Most online services and websites use HTTPS, which does away with many of the vulnerabilities of its unsecured counterpart. Apple and Google both require apps to use HTTPS connections, but still offer an opt-out option for backward compatibility.