The Mysk Blog reported this week that they tricked TikTok to connect to their fake server. They say they hijacked the timeline so the app shows spam videos about COVID19
A summary of the Mysk Blog, dated April 13, 2020, says, “TikTok app uses insecure HTTP to download media content. Like all social media apps with a large userbase, TikTok relies on Content Delivery Networks (CDNs) to distribute their massive data geographically.
“TikTok’s CDN chooses to transfer videos and other media data over HTTP. While this improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors. This article explains how an attacker can switch videos published by TikTok users with different ones, including those from verified accounts.”
Erich Kron, Security Awareness Advocate, KnowBe4 said, “Anytime an internet application uses HTTP instead of HTTPS, there is a risk of the information being modified in a man-in-the middle attack. While this attack is possible, the risks are fairly low given the requirements needed to pull it off.
“You really should not be using TikTok as your source of important news without verifying its authenticity by going straight to the news media site to confirm it.
“It is critical that we teach people how to verify stories on legitimate websites, especially given the proliferation of misleading information in all areas of social media, especially during highly emotional times like this COVID-19 pandemic.”