The issue has been discovered by two developers, Talal Haj Bakry and Tommy Mysk.



Developers have demonstrated how easy it is to trick TikTok into connecting to a fake server, exploiting app architecture, that uses HTTP instead of HTTPS to retrieve media content from the CDNs of the company, which isn’t a safe practice because HTTP traffic is easier to monitor and track:

The use of HTTP to transfer sensitive data has not gone extinct yet, unfortunately. As demonstrated, HTTP opens the door for server impersonation and data manipulation. We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts.

In real life, the vulnerability can be exploited by several actors:

  • Wifi Operators: operators of public wifi networks can configure the router to use a corrupt DNS server
  • VPN providers: a malicious VPN provider can configure a corrupt DNS server for its users
  • Internet Service Providers (ISPs): Internet Service Providers such as telecom companies have full access to the internet connections of their customers. They can configure a corrupt DNS server for their customers to swap content or track user activities
  • Governments and intelligence agencies: in some countries governments and intelligence agencies can force ISPs to install tools that track or alter data

If you distrust any of these actors, then what you watch on TikTok may have been altered. This also applies to any internet service that uses HTTP.

The PoC

The exploitation of this flaw is briefly explained in a couple of PoC videos:

https://www.youtube.com/watch?v=pHt4jok7v5w

https://www.youtube.com/watch?v=voTnYPfkqlY

However, I suggest to read the whole post [1], that contains more technical details.

References

  1. TikTok Vulnerability Enables Hackers to Show Users Fake Videos | Mysk