Social media platform TikTok is the latest video service to prioritize ease over security, resulting in an exploitable vulnerability that could lead to users being tracked and shown incorrect videos. The exploit lies in TikTok's use of HTTP, rather than HTTPS, to send data back and forth between the user and the service's content delivery network (CDN).
Using the insecure HTTP rather than the now more common HTTPS means TikTok videos launch and stream a bit more quickly, but it also means that sniffing network traffic to uncover user data and then, with the help of a corrupted DNS server, redirect video requests to illegitimate servers to launch bogus programming is trivial. Talal Haj Bakry and Tommy Mysk, the researchers at Mysk.co who uncovered the vulnerability, demonstrated an attack and showed the extent of mischief possible through an exploit.
Several browser vendors, including Apple and Google, typically require HTTPS connections but allow HTTP for backward-compatibility. TikTok uses HTTP exclusively. As Tim Erlin, vice president of product management and strategy at Tripwire says, "We often ask that users be diligent about evaluating the sources of information they receive from social media, but diligence isn't helpful when an attacker can simply impersonate an authoritative source."
Read more here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.