Are high traffic apps and websites used in DDoS attacks?
Isn't it very simple for one rogue programmer in a big institution to add a small code change in the application/website thereby sending unintended HTTP DDoS attacks? Like is it possible for Tiktok/Facebook to do this?
Like, every time I slide the screen, a POST/GET request goes to some target website/application that will be overwhelmed by the traffic? Are pirate sites a part of this?
"big institutions" have very strict policy, multiple stage development chain, dedicated quality team and canary testing implemented. It's not that easy task for single rogue developer to insert anything nasty. Theoretically possible, but not probable.
Moreover, if the attacker is able to insert a DDOS payload, how about some spyware, backdoor, bitcoin miner or alike? Considering the sizeable reputation (and financial) impact of such a fiasco you bet they will try to avoid that at all costs.
Of course if there is some vulnerability in the site's code, or using a MitM attack (see the other answer) it might be feasible without an insider.
EDIT: While it's certainly possible to insert malicious code into some "popular package" which the site uses, it's not an easy task. Normally, big players are not using huge number of random libraries like common developers do. Even if they are popular. Not because it could be dangerous, but because they need control and reliable supply chain. Most "popular libraries" simply won't qualify. The biggest tech firms often design their own solution and open source it instead. If they are using some existing codebase they quite often delegate developers into the community in order to maintain control over the project and get the required expertise.
It's unreasonable to think one can simply insert an exploit into a popular FLOSS codebase and big players will include it blindly. Even if the community fail to catch the exploit (which not impossible but pretty improbable in case of a popular project) the institution's rigorous testing protocol might detect the problem in time. Even if the QA team fails to catch the problem, it might be trivial during canary testing which mitigates the scale of the problem.
If the DDOS code contains fixed targets, remote control or is scheduled, it's pretty much trivial to spot. It would be very-very hard to push it through multiple layers of quality control.