TikTok Flaw Allows Threat Actors to Plant Forged Videos in User Feeds

2020-04-14 12:07

A security weakness in the popular TikTok video-sharing service allows a local attacker to hijack any video content streamed to a user's TikTok feed and swap it out with hacker-generated content.

In their proof-of-concept attack, Mysk and Bakry demonstrated how popular TikTok users, using verified accounts, could have their video streams hijacked to show misleading videos downplaying the severity of the COVID-19 pandemic.

TikTok for iOS and TikTok for Android still use unencrypted HTTP to connect to the TikTok CDN, Bakry and Mysk noted.

In their PoC, researchers hosted their forged videos on a server that mimics the behavior of TikTok CDN servers, v34[.

In addition to random threat actors with various agendas, others that can use the TikTok vulnerability to create and spread fake videos include: Wi-Fi operators, which can configure the router to use a corrupt DNS server; malicious VPN providers and ISPs such as telecoms which can configure a corrupt DNS server for their users; or governments and intelligence agencies, which can force ISPs to install tools that track or alter data, researchers warned.

News URL

https://threatpost.com/tiktok-flaw-allows-threat-actors-to-plant-forged-videos-in-user-feeds/154760/

#threat #tiktok #videos