One of the most downloaded apps of last year, TikTok has been increasing in popularity recently. The short video making platform stood second only to WhatsApp in net Android downloads in 2019. However, with a larger user base come larger privacy concern. Two iOS developers recently used a simple trick to trick the app and connected it to their own fake server. Also Read - TikTok crosses 1 billion downloads on Google Play Store
The hack was largely possible because TikTok uses HTTP instead of HTTPS to pull in media content from the company’s CDNs (Content Delivery Networks). Using HTTP improves data transfer performance. However, it puts users at a risk because of the lack of data encryption. Also Read - Indian government reportedly asked TikTok, Facebook to remove misinformation on coronavirus
Watch: Top 5 apps providing free services during coronavirus pandemic
The developers who hacked the app did something scary following the hack. Mysk (their collective name) proceeded to switch videos posted by TikTok users with their own videos via the DNS attack. The duo managed to switch in videos that shared fake information on the ongoing Coronavirus outbreak. This showed how dangerous the risks here can be. The videos with the fake information could be swapped out for some other video posted by, say the WHO, American Red Cross, or another reputed source of information. Also Read - TikTok donates medical equipment and supply worth Rs 100 crore to fight COVID-19 pandemic
The hack, however, affected only the users directly connected to the developer’s server. Mysk had no malicious intent and only wanted to prove that the attack is possible. The point to be taken here is that if they could do it, so can other attackers with ill-intent. Moreover, not switching to HTTPS would also put TikTok against a bunch of other HTTP-related security vulnerabilities. The hack affected the Android TikTok app version 5.7.4 and the iOS app version 15.5.6.
A couple of days ago, TikTok achieved a new milestone, crossing over a billion downloads on the Google Play Store. Hence it is known that the app has a large user base and then again, this is just the Android user share. The app also has quite a few iOS users. Things get more disturbing when you realize that people are using social media platforms like the app more when in lockdown. This increases the chance of wrong information posted via the app through an attacker.