TikTok Flaw Allows Hackers to Put Fake Videos on Your Account: Report

Two developers showcased the problem by replacing WHO's TikTok video with a fake video.

Advertisement
By Abhik Sengupta | Updated: 15 April 2020 17:13 IST
Highlights
  • TikTok flaw was exposed by two iOS developers in a blog post
  • Developers said TikTok's CDN delivers files via unencrypted HTTP
  • This can expose TikTok users' watch history and more

TikTok recently surpassed one billion installs on the Google Play Store

Popular short video sharing platform TikTok has been called out by two developers who claim that the company uses an insecure network to deliver bulk of the data, thereby, risking the privacy of the users on its platform. According to the two iOS developers, TikTok allegedly uses "insecure HTTP to download media content," that "puts user privacy at risk" since unencrypted HTTP traffic can be easily tracked and even altered by malicious actors. This means users' data including their watch history can be accessed by hackers. Meanwhile, TikTok is yet to respond to the 'security threat' exposed by the developers. The company's app recently surpassed one billion installs on the Google Play Store.

The developers, Talal Haj Bakry and Tommy Mysk, in a blog post highlighted that due to usage of insecure HTTP, hackers can also "switch videos published by TikTok users with different ones, including those from verified accounts." The duo further claimed this vulnerability can also expose user's watch history.

Advertisement

While explaining why the security threat exists, the developers in the blog post stated that TikTok like another social media outlet relies on external servers or Content Delivery Networks (CDNs) to deliver bulk of its data. The post added that TikTok's CDN further chooses to transfer videos and other media data over unencrypted HTTP.

"While this [HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors," the developers wrote.

This essentially means that anyone who can see the network traffic passing through a Wi-Fi router could read information coming from TikTok's servers and modify it by even planting a fake video in an account without user's knowledge.

According to the blog post, files such as "videos, profile photos, and video still images" are transferred via HTTP, indicating they are at risk of being accessed by hackers. To further showcase the vulnerability of the TikTok app, Bakry and Mysk posted videos on their blog where they intercepted the data from CDN servers and replaced with "malicious content". The video, therefore, showed fake COVID-19 related content on WHO's TikTok account, which was planted by them.

Advertisement

"We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the Internet with misleading facts," the developers said.

However, the duo cautioned that this "malicious content" was only seen by those who were connected to their servers. The developers indicated that exposed threat, when replicated on a large scale server, can post greater privacy or fake-news related risks. They further added the vulnerability is present on TikTok's iOS version 15.5.6 and Android version 15.7.4.

Advertisement

Meanwhile, TikTok is yet to address the concerns raised by the two developers. TikTok recently surpassed a billion downloads on Google Play. This was amid lockdowns in several countries to curb the spread of novel coronavirus.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: TikTok, TikTok flaw, Data Privacy
Advertisement

Related Stories

Popular Mobile Brands
  1. Moto G77 Power Listing Confirms Key Specifications Before July 8 Debut
  2. Xiaomi 18 Pro Max Prototype Leaked With Dual 200MP Cameras, 100W Charging
  3. Vivo Y500 4G Makes Global Debut With an 8,100mAh Battery: See Price
  4. Samsung Galaxy Z Fold 8 Series Could Ship With This Notable Display Upgrade
  1. Apple Brings Back Card Payments for App Store and iCloud Transactions in India After Five Years
  2. Samsung Galaxy Z Fold 8 Series Tipped to Launch With a New Hinge to Minimise Display Crease
  3. Huawei Mate X8 Display, Camera Details Leaked Online; Mate XT 2 and Mate X8 Said to Launch With Kirin Processor
  4. Redmi Said to Be Working on 7-Inch 'Performance' Smartphone
  5. Bitcoin Trades Near Two-Week High as Crypto Investor Sentiment Improves
  6. iOS 27 System Prompt Reportedly Hints at Apple’s New Smart Wearable With Two Cameras
  7. Xiaomi Civi Series Discontinued With No Next-Generation Model Planned, Claims Tipster
  8. Apple’s Foldable iPhone to Hit Shelves Later Than Anticipated Due to ‘Manufacturing Challenges’, Analyst Claims
  9. Samsung Galaxy F70 Pro Bluetooth SIG Listing Suggests Its Launch Might Be Right Around the Corner
  10. iPhone Air 2 Design Leaked in New Renders That Point to Dual 48-Megapixel Cameras
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.