DEV Community

Krishnadev R
Krishnadev R

Posted on

Found Out How Pirate Streams Were Using TikTok's CDN

So the other day, I was checking out some streams, how I can personally setup a stream in my own website, So I came across this sketchy y'know illegal stream. so I was like I had to know the source, so I do some inspection, basically network tab stuff, redirects me to some other site which was actually providing the stream and the first one was just embedding it. So when I came across the origin website, messing around it. so I open the network tab, checkout the requests, so there were two calls that mattered. the first was an api call that came back with an .m3u8 — and if you've not seen one, that's just a text file, a plain list of urls pointing at the little video chunks the player stitches together.(I found out about this the same day btw).the second call was the player actually going to that cdn and pulling the chunks. so I was a bit surprised there, I'm seeing tiktok's cdn there, being used for a illegal stream. and let's leave that part so I check the cdn req's response and its a image. blank image, from the avatar bucket of tiktok. so I was like confused how tf is the stream working with this.

so i pull the image down and look at them. and the front of it is a totally legit png, and then a few dozen bytes in it hits IEND. that's the marker that literally means "the image ends here." a normal png would just stop there.
this one didn't. it kept going.so i look at all that extra junk after IEND, and it's not random — there's a pattern. one specific byte, 0x47, showing up every 188 bytes like clockwork. and that's the tell: 0x47 every 188 bytes is the mpeg-ts sync byte. it's the fingerprint of video. ts segments. the exact thing an hls stream is made of. (got to learn all this the same day btw).

so the "image" was a real png for the first few dozen bytes, and then ~5 mb of straight-up video bolted onto the back of it.so its a polyglot file basically

A polyglot file is a single file that is valid in two or more different file formats at the same time

So knowing this was like a big deal to me, and me noticing the bucket made me wonder if it was the specific upload endpoint of tiktok that the exploiters were using. so yea I turn on vpn, go to tiktok, tryout uploading some files myself, verified the bucket, it was the same. so next step was making a polyglot file myself with a hidden message. then did the upload. downloaded the file. checked if my marker was still there and there it was! so yea verified. understood how exactly the exploiter's were using tiktok's cdn for streaming.

Idk if this is a big deal to anyone else, but it was pretty interesting for me. If I made/wrote any mistakes, my bad. Thanks for reading

I'll attach a diagram that I made for myself for better understanding with the post incase anyone wants to idk get a look at it, understand it.

Top comments (0)