Similar to the explosive adoption in videoconferencing service Zoom Video Communications, traffic for short-form mobile video platform  TikTok has soared of late more than likely due in part to the coronavirus lockdowns and self-cocooning that has taken place over the last several weeks. However, as the authors below point out, “HTTP traffic can be easily tracked, and even altered by malicious actors.”

After the cybersecurity and data privacy issues that were uncovered with Zoom, we suspect much more will be made of this privacy vulnerability at TikTok in the coming days. Let’s remember that the average number of days between a breach being discovered according to Accenture is roughly 50 days.

TikTok’s continued use of HTTP to move sensitive data across the internet is allowing the videos and other content being sent by the app’s users to be tracked and altered, according to two web developers.

Talal Haj Bakry and Tommy Mysk noted in a blog that the CDN used by TikTok still uses unencrypted HTTP for data transfers instead of HTTPS creating a gap in their security that can be exploited.

“While this [using HTTP] improves the performance of data transfer, it puts user privacy at risk. HTTP traffic can be easily tracked, and even altered by malicious actors,” they said.

TikTok’s high risk factor has already pushed the U.S. military to ban its members from using the Chinese-owned app due to its privacy and security issues. The company has rejected those claims, but the app’s activity has spurred some legal action. In early 2019, the Federal Trade Commission said Musical.ly, TikTok’s earlier iteration, illegally gathered and used children’s personal data, and levied a $5.7million fine on the app for violating the Children’s Online Privacy Protection Act (COPPA).

Part of the problem is TikTok takes advantage of the fact that Apple and Google still allow developers to not use HTTPS, a loophole that allows for backward compatibility. But the Bakry and Mysk said doing so should be a rare exception and not for such a heavily used app. The versions of TikTok for iOS, 15.5.6, and Android, 15.7.4, still send content to their CDN using HTTP.

“Consequently, TikTok inherits all of the known and well-documented HTTP vulnerabilities. Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history. Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort,” they wrote.

This leaves anyone using the TikTok app open to man in the middle attacks where a threat actor could replace the video, photo or text being transmitted with spam or fake news designed to embarrass the sender.

Source: TikTok app inherently unsafe and a privacy risk | SC Media