Encryption & Key Management , Fraud Management & Cybercrime , Governance & Risk Management

TikTok Content Could Be Vulnerable to Tampering: Researchers

Video-Sharing Service Does Not Always Use TLS/SSL Encryption
TikTok Content Could Be Vulnerable to Tampering: Researchers
Two researchers made it appear popular TikTok accounts posted misleading content by taking advantage of a lack of TLS encryption on the service. (Source: Mysk and Bakry)

TikTok, a Chinese video-sharing social networking service, has been delivering video and other media without TLS/SSL encryption, which means it may be possible for someone to tamper with the content, researchers say.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

That could be especially damaging with a service as globally popular as TikTok and in the current pandemic environment, where misinformation and confusion abounds.

The situation was uncovered by Germany-based computer scientist Tommy Mysk and Talal Haj Bakry, a senior iOS developer with NuraLogix in Toronto. They wrote a blog post describing their findings.

A demonstration video shows how it would be possible to make it appear misleading content, including messages such as "Washing hands too often causes skin cancer" and "Covid19 is a hoax," came from widely followed accounts,

TikTok's delivers video without TLS, making it possible to tamper with the content. (Source: Mysk and Bakry)

HTTPS: Not Quite Everywhere

There have been many efforts over the last years to get the world's apps and websites to use TLS, including projects such as the Electronic Frontier Foundation's HTTPS Everywhere and Let's Encrypt, which offers free digital certificates. Use of TLS is indicated by HTTPS in the URL window, showing that content is encrypted while in transit.

An absence of TLS means that attackers could modify content while in transit, known as a man-in-the-middle attack, or observe what content someone is requesting.

Mysk tells Information Security Media Group that he and Bakry did not notify TikTok before releasing their findings. That's because they did not discover a vulnerability in the usual sense but rather a questionable design decision. The decision may have been made for performance reasons.

"The way TikTok uses HTTP is clearly by design and not by mistake," says Mysk, a computer scientist who focuses on software for the automobile industry. "This is why we decided to address the public and raise awareness."

In a statement, TikTok says that it "prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate."

It would appear that TikTok is in a position to easily flick on HTTPS. Mysk says TikTok's website transmits all content over HTTPS. That's perhaps because a browser will display a warning if there's no HTTPS, a measure put in place by browser makers to encourage its use.

Mysk says he was able to find a HTTPS URL for every HTTP URL that's used when someone is on a mobile device. He says TikTok may intentionally use HTTP connections on mobile for some reason.

Tampering Opportunities

TikTok does use TLS for some network traffic, writes Paul Ducklin, principal research scientist at Sophos, in a blog post. But much content, including profile photos, videos and still frames from the videos that comes back from its CDN are not encrypted, he writes.

Ducklin, who used Wireshark to look at the traffic, writes that he was able to replicate the findings on Android version 15.5.44. Mysk and Bakry used Android version 15.7.4 and iOS version 15.5.6.

Mysk and Bakry made it appear the WHO was giving misleading advice on its TikTok account. (Source: Mysk and Bakry)

There would be multiple opportunities to tamper with traffic. Some methods depend upon hijacking DNS services on a victim's network or tampering with a router in between a victim and TikTok's CDN.

Mysk and Bakry set up a server that mimicked TikTok's CDN and loaded it with misleading content. They then directed TikTok's app to the fake server by modifying a DNS entry to map one of its CDN domain names to the IP address of the bogus server.

"To make it simple, we only built a scenario that swaps videos," Mysk and Bakry write. "We kept profile photos intact, although they can be similarly altered. We only mimicked the behavior of one video server. This shows a nice mix of fake and real videos and gives users a sense of credibility."

Any entity that sits in between a user and TikTok could have opportunities to do the same kind of trick, they write. That would include free Wi-Fi hotspots, ISPs, VPN providers and government or intelligence agencies.

The researchers offer many timely examples of how tampering could be harmful. For example, another fake message they created was: "Staying home is the main cause of claustrophobia." Some of their examples showed how harmful messages could be planted to appear as if posted by the World Health Organization, the British Red Cross and American Red Cross.

"TikTok, a social networking giant with around 800 million monthly active users, must adhere to industry standards in terms of data privacy and protection," they write.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.