Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Vulnerability in TikTok allows hackers to show users fake videos


The popular TikTok application uses HTTP to download content instead of secure protocol, so it could be misused to spread misinformation on the platform, researchers Talal Haj Bakri and Tommy Misk warned. Bakri is an iOS developer at NuraLogix Corp. and Misk is a DJ and music producer.
 
A security weakness in popular TikTok allows a local attacker to hack any video content in a user's TikTok feed and replace it with their own content.
 
Researchers have released Proof of Attack (PoC) evidence using an attack technique called “mid-man” (MiTM) on devices using a TikTok application.
 
The downside is that the TikTok application uses insecure HTTP for video content in an effort to improve the speed at which it can transmit data, researchers say. However, this lack of protection also allows attackers to easily modify any HTTP traffic, including videos.
 
Vulnerability is a particular concern, researchers say, because social media is used to spread misinformation and influence the public. This, they claim, could make the popular app the latest platform to spread lies among TikTok users.
 
In an attack demonstrating how exploitation of this vulnerability works, Misk and Bakri demonstrated that popular TikTok users can be hacked to show videos of attackers who e.g. reduce the severity of the COVID-19 pandemic.
 
According to Misko, videos, profile pictures of TikTok users, and static video images are vulnerable to attack because they are transmitted from regional content delivery networks (CDNs) using Secure Hypertext Transfer Protocol (HTTP) instead of Secure Hypertext Transfer Protocol (HTTPS).
 
Leading CDNs such as Apple and Google already have built-in technologies and settings in iOS and Android, which require the use of encrypted HTTPS to protect data transmission. However, they also offer developers the ability to opt out of HTTPS for compatibility, which “should be the exception, not the rule,” the researchers wrote.
 
TikTok for iOS (version 15.5.6) and TikTok for Android (version 15.7.4) still use unencrypted HTTP to connect to the TikTok CDN, noted Bakri and Misk. They called on TikTok, a “social networking giant with about 800 million monthly active users”, to address the issue as soon as possible and to “adhere to industry standards for privacy and data protection.”
 
Running an attack requires the control of a router that someone uses to access the Internet and TikTok. Then the attacker can redirect HTTP requests for video content, which is part of the TikTok user stream, to a server under its control. This allows an attacker to perform a MiTM attack, manipulate all data sent over HTTP, and display their video content instead of legitimate TikTok user content.
 
In addition to hackers, this TikTok vulnerability can be exploited by others to create and disseminate fake videos, including ISPs, malicious VPN providers, governments and intelligence agencies, which can force ISPs to install their tools that monitor or modify data, researchers warned.






15/04/20    Çap et