TikTok hack replaces people’s videos with coronavirus conspiracy theories

‘Washing hands too often causes skin cancer,’ states a fake post on an official UN account

Anthony Cuthbertson
Thursday 16 April 2020 08:53 BST
A security weakness in the popular video-sharing app TikTok appears to let hackers hijack a user's feed
A security weakness in the popular video-sharing app TikTok appears to let hackers hijack a user's feed

A security vulnerability with the popular app TikTok could allow hackers to post fake videos to people’s accounts, researchers have warned.

App developers Tommy Mysk and Talal Haj Bakry were able to manipulate popular TikTok accounts to make it appear as though they were endorsing dangerous conspiracy theories and hoaxes surrounding the coronavirus pandemic.

“Washing hands too often causes skin cancer,” one fake post on the official UN Migration account states. “Smoking and vaping kill the coronavirus.”

A blog post detailing the threat urged TikTok to switch from the HTTP protocol to the more secure HTTPS in order to prevent future attacks. It explained that the use of HTTP to transfer sensitive data meant they were able to intercept TikTok traffic and trick the app into showing the fake videos as if they were posted by the users.

“The circulation of misleading and fake videos in a popular platform such as TikTok poses huge risks,” the blog post stated.

“The forged videos we created present misleading information about Covid-19. This illustrates a potential source of disseminating misinformation and false facts about a contemporary critical topic.”

The hacking technique was confirmed by researchers at Naked Security, who successfully used it after “playing around with the TikTok app for a few minutes”.

Cyber security researchers said the attack could be particularly dangerous at a time when misinformation is being used to incite acts of vandalism and spread baseless claims that could harm people’s health.

“This type of attack represents a different kind of privilege escalation. Masquerading as an authoritative identity in order to feed false information into someone’s feed could be used for all kinds of malicious intents,” Tim Erlin, vice president of product management at Tripwire, told The Independent.

“We often ask that users be diligent about evaluating the sources of information they receive from social media, but diligence isn’t helpful when an attacker can simply impersonate an authoritative source.”

TikTok said that it was in the process of switching to HTTPS, making such hacks impossible in the future.

A spokesperson told The Independent: "TikTok prioritises user data security and already uses HTTPS across several regions, as we work to phase it in across all of the markets where we operate."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in