TikTok users beware: Hackers could swap your videos with their own

Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “ vulnerability enables hackers to show fake videos“.

As far as we can see, they’re right.

(We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.)

We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.

The tPacketCapture app works rather like tcpdump on Unix/Linux computers, logging your network packets to a file called a .pcap (short for packet capture) that you can analyze later at your leisure.

We imported our .pcap file back into Wireshark on Linux, which automatically “dissects” the captured packets to give you a human-readable interpretation of their contents.

As you’d expect, a lot of TikTok’s network conversation is encrypted using TLS to create HTTPS (secure HTTP) connections, as you can see if we extract a representative subset of TLS setup packets from our capture file:

   TLSv1.2  Client Hello
   TLSv1.2  Server Hello, Certificate
   TLSv1.2  Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message

   TLSv1.2  Client Hello
   TLSv1.2  Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data

   TLSv1.2  Client Hello
   TLSv1.2  Server Hello
   TLSv1.2  Certificate, Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data

So the TikTok programmers certainly seem to know about TLS and why it’s important.

But huge swathes of the content that gets sent back from TikTok’s content delivery network (CDN) isn’t encrypted, as this randomly chosen sample of packets from the capture reveals (we shortened the URLs because some of them were very long):

   HTTP  GET /img/tos-maliva[...................].webp HTTP/1.1      <--WEBP image
   HTTP  GET /aweme/100x100/tiktok-obj/[........].webp HTTP/1.1      <--WEBP image
   HTTP  GET /b819[....]/5e9533a3/video/tos/[...]&vl=&vr= HTTP/1.1   <--MP4 video
   HTTP  GET /971e[....]/5e9533d2/video/tos/[...]&vl=&vr= HTTP/1.1   <--MP4 video
   HTTP  GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1      <--JPEG image 
   HTTP  GET /obj/musically-maliva-obj/UK_DE_comedy.jpg HTTP/1.1     <--JPEG image
   HTTP  GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1      <--JPEG image

The data fetched using plain old unencrypted HTTP requests included profile pictures, still frames from videos, and the videos themselves.

You might also like More from author

Leave A Reply

Your email address will not be published.