TikTok’s continued use of HTTP to move sensitive data across the internet is allowing the videos and other content being sent by the app’s users to be tracked and altered, according to two web developers.
Talal Haj Bakry and Tommy Mysk noted in a blog that the CDN used by TikTok still uses unencrypted HTTP for data transfers instead of HTTPS creating a gap in their security that can be exploited.
“While this [using HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors,” they said.
TikTok’s high risk factor has already pushed the U.S. military to ban its members from using the Chinese-owned app due to its privacy and security issues. The company has rejected those claims, but the app’s activity has spurred some legal action. In early 2019, the Federal Trade Commission said Musical.ly, TikTok’s earlier iteration, illegally gathered and used children’s personal data, and levied a $5.7million fine on the app for violating the Children’s Online Privacy Protection Act (COPPA).
Part of the problem is TikTok takes advantage of the fact that Apple and Google still allow developers to not use HTTPS, a loophole that allows for backward compatibility. But the Bakry and Mysk said doing so should be a rare exception and not for such a heavily used app. The versions of TikTok for iOS, 15.5.6, and Android, 15.7.4, still send content to their CDN using HTTP.
“Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities. Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history. Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort,” they wrote.
This leaves anyone using the TikTok app open to man in the middle attacks where a threat actor could replace the video, photo or text being transmitted with spam or fake news designed to embarrass the sender.
Conducting such an attack would involve setting up a server that mimics TikTok’s and then directing traffic in that direction.
Bakry and Mysk said this is a simple task.
“It merely includes writing a DNS record for v34.muscdn.com that maps the domain name to the IP address of our fake server. This can be achieved by actors who have direct access to the routers that users are connected to,” they said.
Those with access to the router who might act maliciously are Wi-Fi operators, VPN providers, ISPs, government and intelligence agencies.
“We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts,” they said.
The researchers said TikTok’s must adhere to industry data privacy standards to protect its base of 800 million monthly active users.