Security Researchers Take Advantage of Insecure HTTP to Display Fake Videos on TikTok
An investigation by Talal Haj Bakry and Tommy Mysk has revealed that backwards-compatible support for HTTP in iOS and Android is allowing data from popular apps such as TikTok to be intercepted and altered.
While most apps have made the transition to HTTPS, the research discovered that TikTok on iOS and Android still uses unencrypted HTTP to download media content. Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities.
Apple introduced App Transport Security in iOS 9, requiring all HTTP connections to use encrypted HTTPS. Google similarly changed the default network security configuration in Android Pie to block all plaintext HTTP traffic. HTTP vulnerabilities still exist, however, since Apple and Google continue provide a way for developers to opt-out of HTTPS for backwards-compatibility.
The investigation proved that it is possible to successfully intercept TikTok traffic and fool the app to show fake videos as if they were published by popular and verified accounts. Any router between the TikTok app and TikTok's servers can easily expose a user's watch history, and change profile photos and videos. While only users connected to the router will see the malicious content, the research suggests that if a popular DNS server was hacked to include a corrupt DNS record, media data could be changed on a large scale.
Popular Stories
Due to production issues at Apple supplier factories in China, the iPhone 14 Pro and iPhone 14 Pro Max are backordered and basically out of stock at every store. If you were planning to gift or receive an iPhone 14 Pro model for the holidays and didn't already get one, you're basically out of luck because they're gone until late December.
Subscribe to the MacRumors YouTube channel for more ...
Apple plans to publicly release iOS 16.2 for the iPhone in mid-December, according to Bloomberg's Mark Gurman. The update remains in beta testing for now, with at least eight new features and changes already uncovered so far.
iOS 16.2 introduces a number of new features, including Apple's new whiteboard app Freeform, two new Lock Screen widgets for Sleep and Medications, the ability to hide...
Apple is aiming to launch an Apple-branded consumer-oriented vehicle by 2026, and its goal is to hit a price point under $100,000 to make the car appeal to a wider range of customers, reports Bloomberg.
Apple initially planned to design a car that might look similar to Canoo's Lifestyle Vehicle, where passengers could face one another in a limousine-style car with no steering wheel or...
iPhone 12 Pro and Pro Max, iPhone 13 Pro and Pro Max, and iPhone 14 Pro and Pro Max models feature a LiDAR Scanner next to the rear camera that can be used to measure a person's height instantly in Apple's preinstalled Measure app.
To measure a person's height, simply open the Measure app, point your iPhone at the person you want to measure, and make sure they are visible on the screen from...
Tuesday December 6, 2022 7:09 am PST by
Sami FathiApple today announced Apple Music Sing, a new feature in Apple Music that lets users sing their favorite songs with adjustable vocals and more.
Apple Music Sing will utilize Apple Music's real-time lyrics to allow users to sing to their favorite songs using adjustable vocals, background vocals, and duet view to allow more than one singer.Apple Music Sing includes:
Adjustable vocals: Users...
The next-generation MacBook Pro models could feature faster RAM, according to a recent report from a reliable source.
MacRumors Forums member "Amethyst," who accurately revealed details about the Mac Studio and Studio Display before those products were announced, recently provided information about Apple's upcoming 14- and 16-inch MacBook Pro models. The new machines are expected to feature...
UK-based tech company Nothing plans to launch a smartphone in the US to directly compete with Apple's iPhone, according to a new report out today. In an interview with CNBC, Nothing CEO Carl Pei said the startup is in "early conversations" with American cellular carriers about launching a new phone in the US, but he stopped short of naming any of the carriers or the phone model.
Nothing...
Mass shipments of Apple's long-rumored AR/VR headset may be delayed until the second half of 2023 due to unspecified "software-related issues," according to the latest information shared today by tech analyst Ming-Chi Kuo.
Apple headset render by Ian Zelbo Kuo said mass shipments of components for the headset are still likely to begin in the first half of 2023, but he believes that mass...
Apple in late October began testing iOS 16.2 and iPadOS 16.2 updates, providing betas to both developers and public beta testers. As of now, we've had four total betas, with the fourth beta having been released earlier this week. iOS 16.2 and iPadOS 16.2 are expected before the end of the year, and we thought we'd try to narrow down the launch timeline.
With only four betas released since...
Top Rated Comments
The Chinese apps have insecure HTTP because the government needs back-doors. I know first hand.
Having seen Vine come and go in what felt like an instant (while I was in high school), the fact that TikTok isn’t dead yet is a MARVEL to me. Especially with how clearly unsafe it is, and how clearly stupid all the teenage influencers on it are.
Vine was the genesis of Jake/Logan Paul, and the most we got out of that was a horribly-poor-taste YouTube video with a hanged corpse in the icon, and Post Malone’s house getting accidentally doxxed. (Yes, Jake Paul is stupid enough to accidentally dox someone.)
With TikTok, I feel like we could get the Chinese government somehow getting into the accounts of EVERY influencer, and every person that follows these influencers, and just…****ing something up majorly. I don’t know what, but if there’s anything I’ve learned in the last few months, it’s that you never know what’s around the corner.