TikTok, new security flaw: videos can be replaced via DNS attack

Who I am
Pau Monfort
Author and references

Popularity also has a dark side. By attracting attention, major security holes can be discovered that put users' privacy at risk. Zoom and TikTok know this well. The latter has again come under the magnifying glass of two iOS developers (Mysk) who have shown how it is It is possible to replace the videos and images on the platform with other content simply allowing the application to connect to a different server.

How is it possible? TikTok uses the HTTP standard - at the expense of the more secure HTTPS - which establishes a connection with the company's Content Delivery Network (CDN). Using this standard improves data transfer performance but puts users' security and privacy at risk due to lack of encryption. Apparently, the app only transports some content via HTTP: videos, profile photos and video thumbnail images. Virtually all the main contents on which the success of the application is based.

All this therefore allows attackers to carry out so-called MITM (man-in-the-middle) attacks through which - as the name suggests - they can intrude on the connection and redirect it to your own servers. The two developers exploited this vulnerability and replaced the videos posted by TikTok users with different content via a DNS attack on a local network. To show the extent of the flaw, they showed the replacement of videos posted by the likes of the WHO, the British and American Red Cross with videos containing fake news about COVID-19.

We emphasize that the intentions of the developers were only to show that all this is possible, so the contents were seen only by the few users connected directly to their server. Therefore, no false information was shared on behalf of the "hacked" organizations. However, that is enough to make it clear the danger of such a vulnerability. All the details of the Mysk discovery are available.

By purchasing a P40 Pro by May 4th you will receive it the smartwatch Huawei Watch GT 2 is free. Smartphone available at. 

add a comment of TikTok, new security flaw: videos can be replaced via DNS attack
Comment sent successfully! We will review it in the next few hours.