TikTok vulnerability lets hackers inject fake coronavirus videos into your account

Picture this: you’re scrolling through your TikTok feed one day and all of a sudden, you notice a video that you did not upload posted to your account.

It’s very possible, as a team of software developers discovered a vulnerability on the viral social video platform that allows an attacker to swap videos on any TikTok account.

A screenshot of a fake coronavirus video that was swapped with a real one from TikTok's own official account.

A screenshot of a fake coronavirus video that was swapped with a real one from TikTok’s own official account.

Image: mysk.blog

In a post sharing their findings, developers Tommy Mysk and Talal Haj Bakry explain that TikTok uses Content Delivery Networks, or CDNs, in order to more effectively transfer their data around the world. To improve performance, these CDNs transfer the data over HTTP. 

The problem with choosing unencrypted HTTP over the more secure HTTPS is that it puts users’ privacy at risk.

“Any router between the TikTok app and TikTok’s CDNs can easily list all the videos that a user has downloaded and watched, exposing their watch history,” writes Mysk and Bakry. “Public Wifi operators, Internet Service Providers, and intelligence agencies can collect this data without much effort.”

While Apple and Google have both moved to require apps to use encrypted HTTPS, there are some exceptions for developers who choose to use HTTP.

Because TikTok transfers data such as videos and profile photos via HTTP, the developers found it was susceptible to man-in-the-middle attacks. Basically, they could alter the content in transmission and swap out a real video on an account with a fake one of their choosing.

The developers provided an example to show just how problematic this issue can be by inflicting a DNS attack on a local network.

[embedded content]

Using the vulnerability they discovered, the duo uploaded a video sharing coronavirus misinformation and injected it into the World Health Organization’s TikTok account so it looked like one of the organization’s own videos. The team were successful in using the same process to show fraudulent uploads on other TikTok verified accounts, like the Red Cross and the video platform’s very own official profile.

In order to do this the duo needed to trick the TikTok app to direct to a fake server they had set up that mimicked TikTok’s CDN servers. 

“This can be achieved by actors who have direct access to the routers that users are connected to,” they explain in their post.

The result means to see the changes made by Mysk and Bakry with the TikTok app, a user would need to be connected to their home router. To be clear, the video swapping isn’t occurring on TikTok’s servers. But that doesn’t mean a malicious actor couldn’t use this method to cause real harm.

“If a popular DNS server was hacked to include a corrupt DNS record…misleading information, fake news, or abusive videos would be viewed on a large scale,” the developers explained. “This is not completely impossible.”

Developer Tommy Mysk confirmed to Mashable that the choice to transfer data via HTTP over HTTPS sets TikTok apart from most of its high-profile competitors.

“I just tested them all: Facebook, Instagram, YouTube, Twitter ,Snapchat” Mysk said in a message to Mashable. “They have ZERO HTTP traces. They transfer all of their data using HTTPS.”

Earlier this year, cyber security firm Check Point discovered a number of security flaws in the TikTok app, including one that allowed hackers to take control of a user’s account. The viral video platform moved to fix them. Shortly after, the team of Mysk and Bakry uncovered another TikTok security issue that allowed the app to spy on your iPhone clipboard history.

TikTok has always had to prove itself as a safe platform for its users due to its connection to its China-based parent company, Bytedance. Some U.S. government workers have even been banned from using the app. This latest security issue surely isn’t good news for the company.

Watch this chill lion climb aboard a safari vehicle full of tourists

It’s my general understanding that wild lions are pretty dangerous, but after watching a very relaxed lion jump into a safari vehicle full of people, I am very confused.

During a safari at Taigan Safari Park in Vilnohirsk, Crimea, a lion named Filya boarded a vehicle full of tourists, according to the Associated Press. Once aboard the lion nuzzled the tourists and plied them with big lion licks. 

Owner of the park Oleg Zubkov was driving the vehicle when Filya came aboard, according to BuzzFeed News. He quickly exited the car as Filya entered it to keep an eye on her interaction with the tourists. 

All of the visitors seemed surprisingly unfazed and genuinely pleased by a lion climbing all over them. A couple of people even managed to snap a selfie with Filya. 

I’m just so curious to know why no one was consumed by fear, or an overwhelming sense of their own mortality? Am I missing something? This is a literal lion we’re talking about.

CBS News has the footage:

[embedded content]

Filya eventually hopped out of the car and the tourists concluded their safari unscathed.

According to BuzzFeed News, the park is known for allowing its big cats to roam freely without any partitions to separate them from visitors, and interactions with the park’s wildlife is actually encouraged. You can even find some footage of these wildlife interactions on the park’s YouTube channel.

And, if you think all of this sounds dangerous and ill-advised, you’re correct. As recently as eight weeks ago, another lion at the park apparently bit a visitor. (The tourist’s fine, though.)

As adorable as it is to see Filya cuddling with tourists, we probably shouldn’t forget that lions are not harmless little kittens. Just a thought.

[H/T: BuzzFeed News]

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f12%2f75caba69 e375 5e63%2fthumb%2f00001

Cameraman falls in lake on live TV, still gets the perfect shot

[embedded content]

Sometimes you get so into your work that you accidentally fall into a lake. It happens! 

But if you’re a cameraman named Chris, you might just be skilled enough to recover and capture the whole incident for live television. That’s what happened during this Las Vegas broadcast.

Chris was capturing footage of his colleague reporting from a kayak, he appeared to accidentally fall into the lake.

“Are you alright, Chris?” the reporter yelled. “Yeah, I’m good,” he said.

Though the reporter claims “no electronics or cameras were injured in this live shot,” there was certainly a scary splash.

But in an impressive plot twist Chris wound up capturing the perfect final shot.

Watch this ‘Rick & Morty’ voice actor sink a million tequila shots, because method acting

When Konstantin Stanislavski came up with “the method,” a system used to train actors to experiencing the emotions of their character — we’re not sure if that also included downing multiple tequila shots.

That’s what Rick & Morty’s Justin Roiland did when he had to voice the “high-functioning alcoholic” version of Rick, on the encouragement of the show’s creator Dan Harmon.

“I understand things got a little…creative,” Harmon said in a video, posted to Adult Swim’s Facebook page. Yeah, that’s one way to put it.

Drink responsibly, kids.