Month: November 2023

Do what thou whilt shall be the whole of the law.

---

The following is a compilation of excerpts from various websites and news sources that detail various social and software security concerns over the behavior and use of the TikTok app. The sources used are all listed below under “Sources”. Any one of these alone is reason enough to never install it on any of your devices. I recommend to never install the app (though watching the videos in Firefox is probably fine) and never trust anything you see there too much.

---

TikTok has a long list of very real privacy scandals under its belt. In December 2022, the company admitted that employees had spied on reporters using location data, in an attempt to track down the source of leaked information…TikTok also reportedly planned to surveil the locations of specific U.S. citizens using location data from their devices, Forbes reported last October.

TikTok also engages in what some observers have called invasive tracking measures against ordinary users. These tactics include prompting users to let TikTok harvest their phone contacts lists, as a way of connecting users who already know each other on the app. Even if you refuse to give TikTok access to your contacts, it will still prompt you to follow people who have your number in their phone contacts lists.

Chinese national security laws can compel foreign and domestic firms operating within the country to share their data with the government upon request, and there are concerns about China’s ruling Communist Party using this broad authority to gather sensitive intellectual property, proprietary commercial secrets and personal data…the company has come under increasing scrutiny in recent months, and in July it acknowledged that non-U.S. employees did in fact have access to U.S. user data.

China-based ByteDance employees have repeatedly accessed non-public data (like phone numbers and birthdays) of U.S. TikTok users. Separately, Forbes reported in October that ByteDance planned to use TikTok “to monitor the personal location of some specific American citizens,” which the company denied.

Chinese law essentially requires companies to do whatever the government wants them to in terms of sharing information or serving as a tool of the Chinese government. And so that’s plenty of reason by itself to be extremely concerned.

“This is not something you would normally hear me say, but Donald Trump was right on TikTok years ago,” Warner told Australia’s Sydney Morning Herald. “If your country uses Huawei, if your kids are on TikTok … the ability for China to have undue influence is a much greater challenge and a much more immediate threat than any kind of actual, armed conflict.”

lawmakers said the app can track users’ locations and collect internet browsing data even from unrelated websites — adding that Beijing could develop profiles on millions of Americans for blackmail or espionage purposes, as well as collect sensitive national security information from U.S. government employees.

They also worried about potential abuses of TikTok’s algorithm, and specifically that it could “be used to subtly indoctrinate American citizens” by censoring some videos and promoting others.

“TikTok has already censored references to politically sensitive topics, including the treatment of workers in Xinjiang, China, and the 1989 protests in Tiananmen Square,” they wrote. “It has temporarily blocked an American teenager who criticized the treatment of Uyghurs in China. In German videos about Chinese conduct toward Uyghurs, TikTok has modified subtitles for terms such as ‘reeducation camp’ and ‘labor camp,’ replacing words with asterisks.” The lawmakers called this an especially frightening prospect given how many adults get their news from TikTok.

And Aynne Kokas, a professor of media studies and the director of the East Asia Center at the University of Virginia, says it is “part of a larger Chinese government effort to expand extraterritorial control over digital platforms.”

TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.

The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company’s website. “The vulnerabilities we found were all core to TikTok’s systems,” said Oded Vanunu, Check Point’s head of product vulnerability research.

Oversecured has once again uncovered high-severity vulnerabilities, this time in the TikTok app. The app contained one vulnerability to theft of arbitrary files with user interaction and three to persistent arbitrary code execution. All these vulnerabilities could have been exploited by a hacker if a user had installed a malicious app onto their Android device. Since the path was fully controllable by the attacker, this provided read-only access to arbitrary files. An attacker could therefore gain access to any files stored in the app’s private directory, and also to history, private messages, and session tokens, resulting in complete access to the user’s account. The vulnerability could have been exploited by an app that was only run once and then, say, deleted. The library would have been written to the app’s private directory and could have been loaded by the app even after the phone was rebooted or the app restarted.

TikTok uses a technique equivalent to keylogging in its in-app browser. “TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app,” Krause wrote in the report. “This can include passwords, credit card information and other sensitive user data.”

The flaw in TikTok’s Android app is the latest security concern for the social media company, which was criticized last month for having keylogging functionality in its iOS app. Microsoft disclosed a verification bypass vulnerability in TikTok’s Android application, raising concerns about the security and functionality of the popular social media app. Microsoft detailed the TikTok vulnerability, tracked as CVE-2022-28799, which could enable threat actors to hijack accounts and publicize private videos, send messages and upload videos under the users’ accounts.

TikTok Inc. illegally tracks user activity on third-party websites through its integrated web browser, in violation of the Federal Wiretap Act, according to a proposed class action filed in Illinois federal court that echoes earlier claims from consumers. When a user clicks on a link in TikTok, the app opens the page via an “in-app browser” that uses code to track interactions with the website in an effort to increase advertising profit, said the lawsuit filed Friday in the US District Court for the Northern District of Illinois.

TikTok gathers data on people who don’t even use the app itself. …the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites…Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for.

---

Sources:
https://time.com/6265651/tiktok-security-us/
https://www.npr.org/2022/11/17/1137155540/fbi-tiktok-national-security-concerns-china
https://www.nytimes.com/2020/01/08/technology/tiktok-security-flaws.html
https://blog.oversecured.com/Oversecured-detects-dangerous-vulnerabilities-in-the-TikTok-Android-app/
https://www.techtarget.com/searchsecurity/news/252524495/Microsoft-discloses-high-severity-TikTok-vulnerability
https://news.bloomberglaw.com/privacy-and-data-security/tiktok-faces-latest-lawsuit-over-in-app-browser-data-tracking
https://www.malwarebytes.com/blog/news/2022/10/tiktoks-secret-operation-tracks-you-even-if-you-dont-use-it/amp

---

Beyond just the app itself, the company’s policies and treatment of their employees is not unlike that of the CCP and its social score system. I highly recommend researching that topic in depth.

---

TikTok is cracking down on remote work with an app to track in-office attendance. The social media company has implemented a new internal software called MyRTO — or my return to office — this month. The app part of its mandate requiring US employees to work from office at least three times a week. Some employees may have to work from office for the entire five-day work week. According to The New York Times, MyRTO tracks badge swipes that employees make when entering office premises. Employees will be asked to explain “deviations” from expected in-office attendance. The badge swipe data will be analysed by employee supervisors and HR staff. The report further said that employees were warned that “any deliberate and consistent disregard may result in disciplinary action” and could even impact their performance reviews. A section of the TikTok workforce has voiced its “frustration and dismay” over the attendance policy. TikTok, owned by the Chinese company ByteDance, employs around 7,000 people in the United States across major cities like New York and Los Angeles. Last year in October, it implemented a strict return-to-office policy as the coronavirus pandemic subsided. Workers were told they would be fired if their home address did not match the address of their office.

---

Source:
https://www.moneycontrol.com/news/trends/tiktok-employees-annoyed-by-app-to-track-in-office-attendance-threats-of-punishment-11390731.html

---

Love is the law, love under will.

Concerned,
Vanessa