Security Researchers Take Advantage of Insecure HTTP to Display Fake Videos on TikTok
An investigation by Talal Haj Bakry and Tommy Mysk has revealed that backwards-compatible support for HTTP in iOS and Android is allowing data from popular apps such as TikTok to be intercepted and altered.
While most apps have made the transition to HTTPS, the research discovered that TikTok on iOS and Android still uses unencrypted HTTP to download media content. Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities.
Apple introduced App Transport Security in iOS 9, requiring all HTTP connections to use encrypted HTTPS. Google similarly changed the default network security configuration in Android Pie to block all plaintext HTTP traffic. HTTP vulnerabilities still exist, however, since Apple and Google continue provide a way for developers to opt-out of HTTPS for backwards-compatibility.
The investigation proved that it is possible to successfully intercept TikTok traffic and fool the app to show fake videos as if they were published by popular and verified accounts. Any router between the TikTok app and TikTok's servers can easily expose a user's watch history, and change profile photos and videos. While only users connected to the router will see the malicious content, the research suggests that if a popular DNS server was hacked to include a corrupt DNS record, media data could be changed on a large scale.
Related Stories
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99.
The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
Google has rolled out picture-in-picture support as an "experimental" feature for YouTube premium subscribers, allowing them to watch video in a small window when the app is closed.
If you're a premium YouTube subscriber looking to try out picture-in-picture, follow these steps: Launch a web browser and sign into your YouTube account at YouTube.com.
Navigate to www.youtube.com/new.
Scroll...
Apple has been involved in a long-running iPhone trademark dispute in Brazil, which was revived today by IGB Electronica, a Brazilian consumer electronics company that originally registered the "iPhone" name in 2000.
IGB Electronica fought a multi-year battle with Apple in an attempt to get exclusive rights to the "iPhone" trademark, but ultimately lost, and now the case has been brought to...
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option.
A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
Apple today released iOS 13.1.3 and iPadOS 13.1.3, minor updates to the iOS 13.1.2 software that was released two weeks ago. This is the fourth update to the iOS 13 operating system that came out in September.
The iOS and iPadOS 13.1.3 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to Settings > General > Software Update....
For this week's giveaway, we've teamed up with MAXOAK to offer MacRumors readers a chance to win a Bluetti portable power station and an accompanying solar panel. Bluetti makes a range of portable power station options that are useful for camping, emergencies, power outages, off-grid living, and similar situations.
The Bluetti EB70 is a solid middle of the road option that offers 716Wh and...
The upcoming 14-inch MacBook Pro is set to be more expensive than the current 13-inch MacBook Pro and both the 14 and 16-inch models will offer the same performance, according to the leaker known as "Dylandkt."
The leaker shared the information on Twitter, explaining that both of the upcoming MacBook Pro models, expected to come in 14 and 16-inch sizes, will feature the same performance due...
During today's earnings call covering the third fiscal quarter of 2021 (second calendar quarter), Apple CFO Luca Maesteri said that Apple is expecting supply constraints to affect the iPhone and the iPad in the coming quarter.
"The supply constraints that we've seen in the June quarter will be higher in the September quarter," said Maestri. The constraints will impact iPhone and iPad sales...
Apple recently dropped the $19.99 fee for OS X Lion and Mountain Lion, making the older Mac updates free to download, reports Macworld.
Apple has kept OS X 10.7 Lion and OS X 10.8 Mountain Lion available for customers who have machines limited to the older software, but until recently, Apple was charging $19.99 to get download codes for the updates.
As of last week, these updates no...
As is tradition, Apple executives Craig Federighi and Greg Joswiak joined Daring Fireball's John Gruber in an episode of The Talk Show to discuss several announcements that Apple made over this weeks WWDC, including iPadOS 15, macOS Monterey, and a large focus around privacy.
Federighi kicks off the conversation discussing the common architecture, now thanks to Apple silicon, across all of...
Top Rated Comments
The Chinese apps have insecure HTTP because the government needs back-doors. I know first hand.
Having seen Vine come and go in what felt like an instant (while I was in high school), the fact that TikTok isn’t dead yet is a MARVEL to me. Especially with how clearly unsafe it is, and how clearly stupid all the teenage influencers on it are.
Vine was the genesis of Jake/Logan Paul, and the most we got out of that was a horribly-poor-taste YouTube video with a hanged corpse in the icon, and Post Malone’s house getting accidentally doxxed. (Yes, Jake Paul is stupid enough to accidentally dox someone.)
With TikTok, I feel like we could get the Chinese government somehow getting into the accounts of EVERY influencer, and every person that follows these influencers, and just…****ing something up majorly. I don’t know what, but if there’s anything I’ve learned in the last few months, it’s that you never know what’s around the corner.