Large parts of the data traffic between TikTok developers and the servers of the app are not encrypted. This could allow an attacker to exchange the videos that are displayed to the user if the attacker manages to connect to the network traffic from the cell phone to the TikTok server.
The TikTok developers reasonably encrypted the transfer of all personal data through the app. Only images and videos that are loaded from the content delivery network used by the app are unencrypted. It looks as if the TikTok creators of the developer company ByteDance tried to save time and computing power when transmitting the payload. Or one deliberately wanted to leave an option open to make this data manipulable for the attacks.
The unsuspecting victim gets videos that look as if they come from a trustworthy channel but were actually exchanged by the attacker. The security researchers who discovered the vulnerability demonstrate this by displaying videos with fake information in the feed of the World Health Organization. They succeed by intercepting and manipulating the apps requests. They then use DNS to redirect these requests to their own server.
In such a case, one would normally expect harmless spams, but in times when we all expect targeted manipulation of social networks like TikTok, such a gap must be taken a little more seriously. Not to mention that there are far too many fake videos on TikTok that aim to spread panic.
An Attack Seems To Be Feasible
So far, the TikTok developers have not done anything about the vulnerability. TikTok users should therefore be aware that fake videos can currently be pushed into them in otherwise trustworthy feeds.
TikTok is the only major app to use unsecured communication to deliver its content. Other social media apps such as Facebook, Instagram, and Twitter strictly use secured HTTPS to communicate between the apps and their CDNs.
