Threats Social Media App RedNote Vulnerable to MiTM Attacks

In recent years, TikTok has taken the world by storm becoming one of the most popular social media apps in the world. Starting in early 2024, US officials showed great concern regarding the relationship between TikTok and the Chinese Communist Party (CCP) claiming it put the personal data of millions of Americans at risk. While TikTok's CEO Shou Zi Chew denies these accusations, residual doubt remains strong.

Fast forward to early 2025, a decision was upheld by the US Congress forcing TikTok's owner, ByteDance, to sell to a US company or face an outright ban. That was until President Donald Trump temporarily reversed the ban, giving TikTok new life in America.

Amidst the confusion, mainstream news reported that many users flocked to a new Chinese social media app called RedNote. In Mandarin Xiǎo Hóng Shū (小红书), translates into "Little Red Book". RedNote's quick rise to fame highlights the challenge that US policymakers will inevitably face to block Chinese apps they don't like—users may simply move to a different app.

It turns out, the situation presents another problem too. Security researcher Matt Brown conducted some tests on the new RedNote app and discovered that it is vulnerable to Man in The Middle (MiTM) attacks. This finding means the app potentially shares personal data with any adversary who can get a position in the communication channel.

Let's look at what Matt Brown uncovered, why Transport Layer Security (TLS) is important, and review best practices for implementing secure TLS. 

Security Researcher Finds RedNote Has Weak Transport Layer Security

During their analysis, Matt Brown discovered that RedNote transmits some of its traffic using unencrypted HTTP rather than HTTPS. This means that information being transmitted, such as user login credentials, messages, and other personal data, could be intercepted and read in cleartext and modified by attackers who can monitor the network traffic. This is true for unencrypted HTTP data anywhere on the route between the mobile device and its final destination. 

Brown also discovered that RedNote's TLS implementation was vulnerable to certificate replacement attacks. So, even when the traffic was "protected" by TLS, adversaries could still perform MiTM attacks by replacing legitimate TLS certificates with forged ones. Since the RedNote app does not verify the authenticity of the TLS certificate, attackers can intercept communications to access sensitive data or change its contents.

Top Risks for Data In Transit

Weak transport layer security means that data transmitted between users and servers is inadequately protected. This vulnerability may result from unencrypted traffic or an improperly implemented TLS protocol, leaving data susceptible to interception by malicious actors.

Strong transport layer security is crucial to ensure that data transmitted between users and servers cannot be intercepted or altered by unauthorized parties. Without adequate security measures, sensitive data is left vulnerable to theft, manipulation, or injection of malicious content.

Unencrypted HTTP Traffic

When traffic is sent over HTTP rather than HTTPS, it is transmitted in cleartext, meaning it can be intercepted and read by attackers using tools such as packet sniffers. Additionally, attackers can inject malicious code or modify the data being sent, further compromising the integrity of the communication.

Research from Qualys SSL Labs's SSL Pulse 2024 report found 19.9% of the Alexa Top 150,000 websites support 0-bit key exchange meaning no encryption or key exchange at all (HTTP), which effectively results in no security. Surprisingly, Google found that for Chrome browser usage, Linux lags behind other operating systems (OS) using HTTP almost 30% of the time. While the report shows a steady increase in the use of HTTPS to enable encryption for data-in-transit, there is still some HTTP risk lurking. 

Improper TLS Implementation

TLS provides encryption and ensures the authenticity of communications between a client and server. However, improper TLS configurations—such as using outdated protocols, weak ciphers, or neglecting to validate certificates—render these protections ineffective. In the case of RedNote, Matt Brown observed a lack of proper certificate validation, making the app vulnerable to MiTM attacks where attackers can impersonate trusted servers and intercept user data.

Weak TLS implementation may result in:

• Interception of sensitive data: If TLS is implemented with support for weak ciphers or fails to properly validate certificate authenticity, attackers can intercept traffic between the app and the server, stealing confidential information such as passwords, personal details, or other user data.

• Execution of arbitrary commands: MiTM attacks can enable attackers to modify the contents of the communication with malicious payloads. This can allow execution of arbitrary commands on the victims system.

• Exploitation of secondary vulnerabilities: Improper TLS can be leveraged to exploit other client-side weaknesses in the app, such as JavaScript vulnerabilities, zero-day vulnerabilities, or known flaws in third-party packages.

• Social engineering manipulation: By modifying the data in transit, attackers could inject their own deceptive messages, or malicious ads designed to trick users into installing malware.

Best Practices for Secure Transport Layer Security

To protect against these risks, app developers and organizations should follow these best practices for implementing strong TLS:

• Enforce HTTPS Everywhere: Ensure all traffic is encrypted using HTTPS, and configure servers to redirect all HTTP traffic to HTTPS automatically.

• Use Strong Cipher Suites: Implement modern cipher suites and protocols, such as TLS 1.3, to provide the highest level of encryption. 

• Validate Certificates Properly: Rigorously verify SSL/TLS certificates to prevent spoofing or man-in-the-middle attacks.

• Enable HTTP Strict Transport Security (HSTS): Enforce HTTPS by informing browsers never to connect via HTTP and always use secure connections.

• Conduct Regular Security Audits: Periodically review TLS configurations and ensure compliance with the latest security standards and disable support for encryption algorithms with known weaknesses.

How to Test For Strong Transport Layer Security

Testing for strong transport layer security (TLS) is crucial to ensure that applications protect data in transit from interception or manipulation. Using a variety of tools with different functionalities, security researchers and developers can identify weaknesses in transport layer security and ensure that sensitive user data remains protected.

Security Tools to Verify Strong Transport Layer Security:

• CertMiTM: CertMiTM verifies whether an app encrypts its traffic and validates whether the TLS certificate is signed by a trusted certificate authority. CertMiTM can also conduct active Man In The Middle (MiTM) attacks by trying to swap out the server's certificate for self-signed certificates generated on the fly. 

• Wireshark: Wireshark captures and inspect packets, allowing you to verify that all traffic from the application is encrypted using HTTPS (TLS) and does not fall back to unencrypted HTTP or other insecure protocols.

• SSL Labs: Qualys SSL Labs analyzes the strength of a server's SSL/TLS implementation, providing a detailed report of encryption protocols, cipher suites, and vulnerabilities.

• Burp Suite: BurpSuite can intercept and analyze traffic to ensure secure communication channels and detect vulnerabilities in TLS configuration.

Conclusion

Social media app RedNote's vulnerabilities highlight the critical importance of following best practices when implementing TLS. With the app's growing popularity in the wake of TikTok's ban, its weak security posture could put millions of users at risk. By adopting robust TLS practices, developers can help safeguard data in transit and protect users from the risks of interception and exploitation. However, users need to stay vigilant about choosing which applications they install and use, especially those handling sensitive personal information.