A security investigation has revealed that Xiaohongshu, also known as RedNote, a social media platform similar to TikTok, transmits user data in plaintext, exposing users' viewing and search histories to potential eavesdroppers. The flaw, discovered by security researchers at Corrata, highlights ongoing concerns about data security on Chinese-owned digital platforms, particularly as American users seek TikTok alternatives amid regulatory uncertainty.
Unencrypted data in transit
Corrata's security monitoring tools first flagged suspicious activity in RedNote's network traffic last week. While video streaming itself is encrypted using TLS 1.3, researchers found that HTTP GET requests fetching image resources—including WebP, JPG, and a proprietary REIF format—were being sent in plaintext to CDN hosts like sns-na-i9.xhscdn.com.
This means that anyone monitoring network traffic, from Wi-Fi providers to potential attackers, can see the images tied to users' viewing activity. The lack of encryption also makes this data vulnerable to manipulation, including spoofing or tampering by adversaries.
Further analysis showed that simply registering for the app generated over 16,000 unencrypted network traffic frames, highlighting the massive scale of exposure. The issue is linked to a misconfigured Android network security policy, which explicitly permits cleartext traffic—a setting that violates best practices outlined in Android security guidelines.
RedNote's growing influence
Xiaohongshu (RedNote) is a Chinese social media and e-commerce platform popular among young users for lifestyle content. While it has long been a major player in China, recent threats of a U.S. TikTok ban have led to a surge in American users exploring alternatives like RedNote.
This security issue comes just as TikTok's future remains uncertain in the U.S. Following a Supreme Court ruling upholding a federal ban unless ByteDance divests ownership, TikTok threatened to shut down operations on January 19. However, former President Donald Trump has intervened to negotiate its continued presence, leaving users in limbo.
Amid this regulatory turmoil, many “TikTok refugees” have turned to RedNote, unaware they may be trading one security risk for another. Privacy experts have repeatedly warned that shifting to another Chinese-owned app does not eliminate concerns about data privacy and potential government surveillance.
Recommendations
The exposure of user viewing habits and search history in plaintext significantly undermines user privacy. Beyond personal security risks, unencrypted traffic can be intercepted by state actors or malicious third parties.
Security researchers recommend that RedNote immediately implement TLS encryption (RFC 5246) across all network communications to prevent unauthorized access to user data. Additionally, developers should disable cleartext traffic permissions in their Android app configurations to align with industry security standards.
Corrata has shared its findings with Xiaohongshu but is still awaiting a response from the company. Until proper encryption measures are implemented, users should exercise caution when using RedNote, particularly on shared or public networks. The best approach at this point would be to avoid using it entirely.
Threat Actor Claims Sale of 318 Million Otelier Records
Leave a Reply