Up TikTok one was discovered security flaw rather serious that allows a hacker to replace videos that are sent from servers to clients (i.e. apps for Android and iOS). Basically, the user requests a video and another is sent.
The weak link in the data transmission chain of the increasingly popular social network (see February data: it is the most downloaded non-games app in the world) is the connection between the client app and the CDN, or the network of servers that physically takes care of sending the requested content, which it is not encrypted and is based on the now obsolete HTTP protocol. The hacker can then enter the communication (MITM attack, Man-in-the-middle) and modify it according to your purposes. In this specific case, the two researchers Talal Haj Baktry and Tommy Mysk created a bogus TikTok server and made the client app believe that it was authentic, flooding it with fake videos specially prepared on the COVID-19 – which however seemed to come from verified accounts, like that of the WHO.
The scope of such an attack is not particularly wide, given that the person who leads it must have access to the Wi-Fi router configuration page to which the smartphone with the TikTok app is connected. But with a little imagination, having identified the basic flaw, it is very easy to make the problem much more serious – just replace the home router with public access points and VPNs of dubious origin. Given its wide diffusion, it therefore becomes a potential tool to spread disinformation, moreover in a period in which it is essential to fight it.
TikTok uses HTTP to transport only certain types of content, including videos – the main medium on which the platform is based. For the moment the company has not responded to the news.