Encryption & Key Management , Fraud Management & Cybercrime , Governance & Risk Management
TikTok Content Could Be Vulnerable to Tampering: Researchers
Video-Sharing Service Does Not Always Use TLS/SSL EncryptionTikTok, a Chinese video-sharing social networking service, has been delivering video and other media without TLS/SSL encryption, which means it may be possible for someone to tamper with the content, researchers say.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
That could be especially damaging with a service as globally popular as TikTok and in the current pandemic environment, where misinformation and confusion abounds.
The situation was uncovered by Germany-based computer scientist Tommy Mysk and Talal Haj Bakry, a senior iOS developer with NuraLogix in Toronto. They wrote a blog post describing their findings.
A demonstration video shows how it would be possible to make it appear misleading content, including messages such as “Washing hands too often causes skin cancer” and “Covid19 is a hoax,” came from widely followed accounts,
HTTPS: Not Quite Everywhere
There have been many efforts over the last years to get the world’s apps and websites to use TLS, including projects such as the Electronic Frontier Foundation’s HTTPS Everywhere and Let’s Encrypt, which offers free digital certificates. Use of TLS is indicated by HTTPS in the URL window, showing that content is encrypted while in transit.
An absence of TLS means that attackers could modify content while in transit, known as a man-in-the-middle attack, or observe what content someone is requesting.
Mysk tells Information Security Media Group that he and Bakry did not notify TikTok before releasing their findings. That’s because they did not discover a vulnerability in the usual sense but rather a questionable design decision. The decision may have been made for performance reasons.
“The way TikTok uses HTTP is clearly by design and not by mistake,” says Mysk, a computer scientist who focuses on software for the automobile industry. “This is why we decided to address the public and raise awareness.”
In a statement, TikTok says that it “prioritizes user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate.”
It would appear that TikTok is in a position to easily flick on HTTPS. Mysk says TikTok’s website transmits all content over HTTPS. That’s perhaps because a browser will display a warning if there’s no HTTPS, a measure put in place by browser makers to encourage its use.
Mysk says he was able to find a HTTPS URL for every HTTP URL that’s used when someone is on a mobile device. He says TikTok may intentionally use HTTP connections on mobile for some reason.
Tampering Opportunities
TikTok does use TLS for some network traffic, writes Paul Ducklin, principal research scientist at Sophos, in a blog post. But much content, including profile photos, videos and still frames from the videos that comes back from its CDN are not encrypted, he writes.
Ducklin, who used Wireshark to look at the traffic, writes that he was able to replicate the findings on Android version 15.5.44. Mysk and Bakry used Android version 15.7.4 and iOS version 15.5.6.
There would be multiple opportunities to tamper with traffic. Some methods depend upon hijacking DNS services on a victim’s network or tampering with a router in between a victim and TikTok’s CDN.
Mysk and Bakry set up a server that mimicked TikTok’s CDN and loaded it with misleading content. They then directed TikTok’s app to the fake server by modifying a DNS entry to map one of its CDN domain names to the IP address of the bogus server.
“To make it simple, we only built a scenario that swaps videos,” Mysk and Bakry write. “We kept profile photos intact, although they can be similarly altered. We only mimicked the behavior of one video server. This shows a nice mix of fake and real videos and gives users a sense of credibility.”
Any entity that sits in between a user and TikTok could have opportunities to do the same kind of trick, they write. That would include free Wi-Fi hotspots, ISPs, VPN providers and government or intelligence agencies.
The researchers offer many timely examples of how tampering could be harmful. For example, another fake message they created was: “Staying home is the main cause of claustrophobia.” Some of their examples showed how harmful messages could be planted to appear as if posted by the World Health Organization, the British Red Cross and American Red Cross.
“TikTok, a social networking giant with around 800 million monthly active users, must adhere to industry standards in terms of data privacy and protection,” they write.