TikTok users beware: Hackers could swap your videos with their own

Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “TikTok vulnerability enables hackers to show users fake videos“.
As far as we can see, they’re right.
(We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.)
We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.
The tPacketCapture app works rather like tcpdump on Unix/Linux computers, logging your network packets to a file called a .pcap (short for packet capture) that you can analyze later at your leisure.
We imported our .pcap file back into Wireshark on Linux, which automatically “dissects” the captured packets to give you a human-readable interpretation of their contents.
As you’d expect, a lot of TikTok’s network conversation is encrypted using TLS to create HTTPS (secure HTTP) connections, as you can see if we extract a representative subset of TLS setup packets from our capture file:

   TYPE     CONTENT
   -------  -------
   TLSv1.2  Client Hello
   TLSv1.2  Server Hello, Certificate
   TLSv1.2  Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  Client Hello
   TLSv1.2  Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data
   TLSv1.2  Client Hello
   TLSv1.2  Server Hello
   TLSv1.2  Certificate, Certificate Status, Server Key Exchange, Server Hello Done
   TLSv1.2  Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
   TLSv1.2  New Session Ticket, Change Cipher Spec, Encrypted Handshake Message, Application Data

So the TikTok programmers certainly seem to know about TLS and why it’s important.
But huge swathes of the content that gets sent back from TikTok’s content delivery network (CDN) isn’t encrypted, as this randomly chosen sample of packets from the capture reveals (we shortened the URLs because some of them were very long):

   TYPE     CONTENT
   -------  -------
   HTTP     GET /img/tos-maliva[...................].webp HTTP/1.1      <--WEBP image
   HTTP     GET /aweme/100x100/tiktok-obj/[........].webp HTTP/1.1      <--WEBP image
   HTTP     GET /b819[....]/5e9533a3/video/tos/[...]&vl=&vr= HTTP/1.1   <--MP4 video
   HTTP     GET /971e[....]/5e9533d2/video/tos/[...]&vl=&vr= HTTP/1.1   <--MP4 video
   HTTP     GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1      <--JPEG image
   HTTP     GET /obj/musically-maliva-obj/UK_DE_comedy.jpg HTTP/1.1     <--JPEG image
   HTTP     GET /img/musically-maliva-obj/1[.......].jpeg HTTP/1.1      <--JPEG image

The data fetched using plain old unencrypted HTTP requests included profile pictures, still frames from videos, and the videos themselves.

What harm done?

At this point, you might be wondering, “If all the data transmitted via HTTP is already available for anyone to view, what harm does this cause?”
For example, it took us a few seconds to extract these avatar images and video stills directly from the unencrypted data that we found in our packet dump:

But we were also able to view all that content in the app without logging in – in other words, those images were already intended, by the people who uploaded them in the first place, to be visible to anyone who cared to look.
Anyone, in fact, who merely downloaded and played around with the TikTok app for a few minutes, as we did.
However, as Mysk and Haj Bakry pointed out in their article, there are two important reasons why apps of this sort should use HTTPS for everything:

• Privacy. Anyone sniffing your TikTok traffic can easily tell what videos you’re watching, which profiles you’ve come across, and the order in which you’re moving through the site. That gives away something about you – your likes, dislikes and concerns, for example; perhaps even hints about your friends and family. And there is simply no excuse for apps to let other people on the network make inferences of that sort through simple network sniffing.
• Authenticity. Anyone who can divert your web requests to a server of their own – the owner of the Wi-Fi network in your building or house, for example – could modify HTTP traffic undetected, so they could feed you fake videos in place of the ones you were supposed to see. Remember that HTTPS not only encrypts the traffic you receive so that other people can’t snoop on it, but also protects its integrity so that it can’t be tampered with along the way.

Indeed, Mysk and Haj Bakry’s post includes some short videos showing fake coronavirus news videos inserted into the TikTok app where you certainly wouldn’t expect to see them.
They delivered their “fake news” by booby-trapping their own network router to redirect requests from TikTok’s CDN to use their own video server instead.
But if the TikTok app were using HTTPS throughout, that sort of deception would be considerably more difficult because their router would not have the right HTTPS certificate to vouch for their swapped-out content, so the app would reject it.

What to do

As far as we can see, TikTok has made the same sort of programming blunder that Tinder made (and then hurriedly fixed) back in 2018.
TikTok’s regular website does seem to use HTTPS for serving up videos; but its app, perhaps for reasons of simplicity and speed, does not.
That’s good news, because it implies that TikTok’s CDN is already perfectly well-equipped to handle HTTPS requests, and therefore that the company ought to be able to update its app quickly to bring it into the 2020s.
In the meantime, we’ll repeat the advice we gave when Tinder had to rush to add HTTPS into its app two years ago:

• For TikTok users. Be careful how seriously you take any of the videos that you see in the app – they could be swapped out fairly easily. If it’s a video of someone dropping Mentos into a toilet bowl filled with Diet Pepsi (spoiler: big mess!), falsification doesn’t matter much. But if you are looking for advice on the coronavirus pandemic, don’t rely on TikTok videos until this issue is fixed. If you are worried about how much others on your network might learn about you by eavesdropping on your TikTok viewing habits, stop using the TikTok app and stick to the website instead.
• For the TikTok programmers. You’ve got all the images and videos on secure servers already, so stop cutting corners (we’re guessing you thought it would speed the mobile app up a bit to have the images unencrypted). Switch your mobile app to use HTTPS throughout.
• For software engineers everywhere. Don’t let the product managers of your mobile apps force you to take security shortcuts. If you outsource your mobile development, don’t let the design team convince you to let form run ahead of function. In 2020, HTTPS isn’t “nice to have in a future version”, but something that you should not ship without.

Latest Naked Security podcast