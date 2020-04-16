The number of TikTok downloads on Google Play Store breached one billion mark recently.

Bite-sized video creating and sharing platform TikTok apparently has a flaw that can put users’ privacy at risk allowing hackers to post fake videos on their account. Two developers Talal Haj Bakry and Tommy Mysk have highlighted, in a blog post, that TikTok is using an insecure network in order to deliver data in bulk. According to them, the media content downloaded from the application is via an insecure HTTP which is likely to put the privacy of a user at risk. The unencrypted HTTP traffic is easier to track as well as alter by hackers. The flaw could help hackers access user history also. It is to note that there are currently one billion people using the application across the world. The number of downloads on Google Play Store breached one billion mark recently as people are stranded in their houses due to the novel Coronavirus.

As per the findings, using the application with an insecure HTTP can also lead to switching of video content of the users including the verified ones. As the content is vulnerable, a user’s watch history can also be revealed. “We successfully intercepted TikTok traffic and fooled the app to show our own videos as if they were published by popular and verified accounts. This makes a perfect tool for those who relentlessly try to pollute the internet with misleading facts,” said Talal Haj Bakry and Tommy Mysk in a blog post. TikTok’s Android version 15.7.4 and iOS version 15.5.6 is said to possess this vulnerability.

The developers further explained that TikTok is relying on Content Delivery Networks (CDNs) to provide data for its users. The CDNs further selects an unencrypted HTTP to transfer other media files. Anyone who recognises this network that is passing through a Wi-Fi router may be able to read the information and modify it accordingly, increasing chances of planting a fake video without the knowledge of the user. Meanwhile, the company has not acknowledged the issue as of now.