Skip to main content

TikTok Vulnerability Allows Uploading of Fake Videos To User Accounts






A security vulnerability with TikTok allows attackers to inject any videos in the User feeds, the bug affects verified users also. Attackers may exploit this vulnerability to ake their videos popular.
TikTok is a Chinese based popular video-sharing mobile platform and which is owned by Beijing-based ByteDance.It is the most popular video-sharing app, it has more than 1.3 billion users worldwide.

TikTok Vulnerability

TikTok app uses insecure HTTP to process the data transfer, according to the analysis by researchers Talal Haj Bakry and Tommy Mysk the videos and images transferred are unencrypted.
An attacker between the “TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history.”


TikTok Vulnerability
Wireshark Analysis
 
 
  • By launching a man-in-the-middle attacker can download the content and modify it, aiming to provide the fake facts in a spam video instead of the original one posted.
  • The vulnerability can be abused by an attacker to spread misleading information and change public opinion.
  • In their proof-of-concept attack, researchers set up a fake CDN server “v34[.]muscdn[.]com” and their TikTok app directed to the fake server. “The fake server then picks a forged video and returns it to the app which, in turn, plays the forged video to the user as shown in the demo video.”
  • TikTok for iOS (Version 15.5.6) and TikTok for Android (Version 15.7.4) are still using the connection unencrypted for connecting with TikTok CDN.
  • To launch this attack, threat actors need to have access to the router used to access the internet and TikTok. By having the access they can redirect and manipulate the videos.
  • “The circulation of misleading and fake videos in a popular platform such as TikTok poses huge risks,” researchers said.


TikTok Vulnerability
Fake Videos
The impact will be huge if the Wi-Fi operators, VPN providers, and ISPs configure the servers with the corrupt DNS server.
“We successfully intercepted TikTok traffic and fooled the app to show our videos as if they were published by popular and verified accounts,” researchers said.

Comments

Post a Comment

Popular posts from this blog

What is adware?

What is adware? Spyware refers to a kind of malware that presentations undesirable advertisements to your computer or device. spyware is normally activated unknowingly when customers are looking to install legitimate programs that spyware is bundled with. At the same time as now and again, spyware may be safe, some pop-up windows intend to not best display advertisements however also acquire facts and information with the intention to target you with customised ads. In those instances, adware can direct you to malicious websites and inflamed pages thru various ad hyperlinks, setting you liable to pc viruses. The way to come across adware The maximum not unusual manner to realise spyware is the appearance of father-up classified ads and programs that you are unfamiliar with and on browsers where they'd not been displayed before. In some cases, spyware also can purpose adjustments to your browser, below are a few matters to appearance out for: Lagging performance and eventual crashin...
Post a Comment
Read more

Alert for Weaponized TeamViewer Installer that delivers njRAT

Alert for Weaponized TeamViewer Installer that  delivers  njRAT   Hazard actors relying on legitimate, 9aaf3f374c58e8c9dcdd1ebf10256fa5 software Team Viewer for exploitation has been a totally commonplace situation. There have been numerous cases in which risk actors used 9aaf3f374c58e8c9dcdd1ebf10256fa5 software to deliver malware to the sufferers. In addition, a latest file from Cyble research & Intelligence Labs stated that the maximum popularly used remote computing device support software program, “Team Viewer” has been exploited by threat actors to deliver njRAT malware. Other software that become turning in njRAT malware include Wireshark, system Hacker, and so on., NJ RAT is a far flung get admission to Trojan that could perform keylogging, password stealing, facts exfiltration, gaining access to webcams, and microphones, downloading extra documents, and plenty of others. It changed into first determined in 2012 and was attacking companies in middle Japanese c...
Post a Comment
Read more

SIM swap attack permits Hackers Port a phone quantity to a brand new SIM to Hack WhatsApp & Evasion 2FA.

SIM swap attack permits Hackers Port a phone quantity to a brand new SIM to Hack WhatsApp & Evasion 2FA. Cybercriminals are actively performing SIM swap attacks in diverse international locations to bypass 2 things Authentication and to compromise the numerous social media apps which include WhatsApp through porting a sufferer’s smartphone number to a brand new SIM card. This widespread assault brought on economic damages, stolen credentials, and seizes OTPs to bypass victims’ online money owed. There are various fraud facilities and thousands of operators are running round the arena to seamlessly port a cell phone wide variety to a new SIM with an excessive achievement ratio.   In this situation, countries like Brazil and Mozambique have an excessive fee of SIM swap fraud the use of various social engineering strategies, and phishing attacks. A hit tries of this assault allow fraudsters take manage of clients’ telephone numbers with a purpose to get hold of mobile money tran...
Post a Comment
Read more