Popular short video sharing platform TikTok has been called out by two developers who claim that the company uses an insecure network to deliver bulk of the data, thereby, risking the privacy of the users on its platform. According to the two iOS developers, TikTok allegedly uses "insecure HTTP to download media content," that "puts user privacy at risk" since unencrypted HTTP traffic can be easily tracked and even altered by malicious actors. This means users' data including their watch history can be accessed by hackers. Meanwhile, TikTok is yet to respond to the 'security threat' exposed by the developers. The company's app recently surpassed one billion installs on the Google Play Store.
The developers, Talal Haj Bakry and Tommy Mysk, in a blog post highlighted that due to usage of insecure HTTP, hackers can also "switch videos published by TikTok users with different ones, including those from verified accounts." The duo further claimed this vulnerability can also expose user's watch history.
While explaining why the security threat exists, the developers in the blog post stated that TikTok like another social media outlet relies on external servers or Content Delivery Networks (CDNs) to deliver bulk of its data. The post added that TikTok's CDN further chooses to transfer videos and other media data over unencrypted HTTP.
"While this [HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors," the developers wrote.
This essentially means that anyone who can see the network traffic passing through a Wi-Fi router could read information coming from TikTok's servers and modify it by even planting a fake video in an account without user's knowledge.
According to the blog post, files such as "videos, profile photos, and video still images" are transferred via HTTP, indicating they are at risk of being accessed by hackers. To further showcase the vulnerability of the TikTok app, Bakry and Mysk posted videos on their blog where they intercepted the data from CDN servers and replaced with "malicious content". The video, therefore, showed fake COVID-19 related content on WHO's TikTok account, which was planted by them.
"We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the Internet with misleading facts," the developers said.
However, the duo cautioned that this "malicious content" was only seen by those who were connected to their servers. The developers indicated that exposed threat, when replicated on a large scale server, can post greater privacy or fake-news related risks. They further added the vulnerability is present on TikTok's iOS version 15.5.6 and Android version 15.7.4.
Meanwhile, TikTok is yet to address the concerns raised by the two developers. TikTok recently surpassed a billion downloads on Google Play. This was amid lockdowns in several countries to curb the spread of novel coronavirus.