Two security researchers have proven that TikTok can be easily infiltrated and planted with false information regarding the coronavirus. It goes to show that the platform clearly has a security flaw that makes it vulnerable to cyberattacks, putting the lives of its users in danger.
TikTok has received flak for its content-filtering procedures, but it's never been accused of allowing false information to spread on its platform. The hack is a way of warning users that false COVID-19 information could show up in their feeds at any given moment, as well as to inform the app's developer of the security weakness that can be easily exploited by threat actors.
We tricked #TikTok to connect to our fake server. We hijacked the timeline so the app shows spam videos about #COVID19#Security #Cybersecurity #Hacking
For more on this: https://t.co/0e7RGyleIW pic.twitter.com/49BbkYbunq — Mysk (@mysk_co) April 13, 2020
The issue lies within TikTok's continued use of an insecure HTTP connection. Though it does make content delivery faster, it also makes the app prone to manipulation and interception. It's been known for years that a shift to HTTPS will give users the protection they need, but TikTok seems oblivious to the dangers of insecure connections.
Google and Apple are encouraging their users to opt for a more secure connection, but both companies continue to "provide a way for developers to opt-out of HTTPS for backwards-compatibility," the researchers explained. They warn users that "TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) still use unencrypted HTTP to connect to the TikTok CDN."
What the researchers did was create some fake videos using false information about the coronavirus, hosted those videos on their own server that had been set up to copy a TikTok CDN. With control of a user's DNS settings, mimicking what's possible with control an ISP, potentially impacting millions, "we directed the app to our fake server. Because it impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it."
Hacking with the intention of making people believe something is a fact when it's not is unethical, to say the least. However, the researchers merely want to point out that TikTok must address the security flaw immediately. It also serves a warning to all TikTok users that misinformation can appear without warning, so it is a must to fact-check and only believe information coming from credible resources, such as the CDC and the WHO.
Misleading facts about COVID-19 can worsen the pandemic and may put the lives of many people in danger, especially those who are vulnerable to fake news. That being said, you can still use TikTok, but don't go believing that everything being fed to you by the app is a fact.
