One of the most popular social media apps is facing greater scrutiny over data leaks as a possible TikTok breach of security that could affect over a billion users was discovered.
On Monday, multiple cybersecurity specialists tweeted about the alleged discovery of an unprotected server vulnerability that permitted access to TikTok’s storage, which they think held personal user data. Only a few days ago, Microsoft Corp. announced the discovery of a “high-severity vulnerability,” which can cause a TikTok breach on the Android app, “which would have allowed attackers to compromise users’ accounts with a single click.”
TikTok, from ByteDance Ltd., topped a billion monthly users a year ago and is now many young people’s favorite app. As a result, it’s an appealing target for hackers looking to steal popular accounts or resell critical information. The Trump administration classified it as a privacy hazard in 2020 and nearly banned it because of concerns about potential linkages between its Beijing-based parent firm and the Chinese government.
TikTok breach of security was downplayed by the firm
TikTok stated that reports of a breach detected over the weekend were false. According to a representative, “Our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code.”
Troy Hunt, an Australian online security analyst, examined some of the stolen data samples and discovered similarities between user profiles and movies submitted under those IDs. However, part of the information in the leak was “publicly accessible data that could have been constructed without breach.” He posted on Twitter that:
“This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It’s a bit of a mixed bag so far.”
Microsoft discovered a narrower vulnerability that might have affected Android-powered mobile phones. It may have given attackers access to and modification of “TikTok profiles and sensitive information, such as by publicizing private videos, sending messages and uploading videos on behalf of users,” stated Dimitrios Valsamaras of the Microsoft 365 Defender Research Team. According to a TikTok spokeswoman, the firm responded immediately to Microsoft’s findings and corrected the security weakness discovered “in some older versions of the Android app.”
Data leaks caused by TikTok are a serious concern for the US
Regardless of how inconclusive or minor the flaws are, TikTok and its parent company will be scrutinized closely at a time when the US may tighten its sanctions against corporations with ties to China. In June, nine US senators demanded that TikTok’s CEO explain purported security lapses in a public letter.
President Joe Biden is set to sign an executive order restricting US investment in Chinese technology businesses, and a separate measure targeting TikTok is possible, with the administration keeping a careful eye on whether the Chinese government has access to American user data. The corporation has informed US Congress that it has taken precautions to safeguard such data through a deal with Oracle Corp.
“There’s a lot of attention on the way TikTok operates and there’s a big gap between how it operates and how it says it operates,” said Robert Potter, co-CEO of the Australian-US cybersecurity business Internet 2.0 Inc. In a study released in July, Potter’s team stated that it discovered “excessive data harvesting” by TikTok on user devices, that the app checks device position at least once an hour, and that it contains code that gathers serial numbers for both the device and the SIM card. TikTok dismissed the findings, claiming that they “misstates the amount of data we collect.”
3/ Internet2.0 misstates the amount of data we collect. For example, we do not collect user device IMEI, SIM serial number, active subscription information, or integrated circuit card identification number, and we do not collect precise GPS location.
— TikTokComms (@TikTokComms) July 18, 2022
The news drew widespread notice in Australia, and Clare O’Neil, the new Minister for Home Affairs, revealed on Monday that she has directed her agency to look into what data TikTok collects and who has access to it. O’Neil said in emailed remarks that:
“We’ve got this basic problem here where we’ve got technology companies that are based in countries with a more authoritarian approach to the private sector. TikTok is not the beginning and the end of this. It’s one of the very large number of issues that’s given rise to by these very dominant technology companies and the role they are playing in our lives.”
TikTok might be “keylogging” which can cause data leaks
Another study last month focused on in-app browsers by security researcher Felix Krause, who created a tool to verify what programs do in WebView. The study, which focused on the vulnerabilities of mobile apps using in-app browsers, examined around 25 of the most popular iOS apps and discovered that TikTok employed a keylogging approach in its in-app browser. According to Krause, “TikTok iOS subscribes to every keystroke (text inputs) happening on third-party websites rendered inside the TikTok app. This can include passwords, credit card information, and other sensitive user data.”
He also observed that TikTok’s iOS version employed JavaScript code to analyze what the user clicked. While Krause admitted that he had no idea what TikTok does with the subscription, he claimed that TikTok’s response in a Forbes article demonstrated that it has keylogging capability. TikTok responded to TechTarget in a statement stating the report’s findings are incorrect and misleading: “The researcher specifically says the JavaScript code does not mean our app is doing anything malicious and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”
However, information security experts feel that TikTok’s usage of keylogging for debugging is limited. For example, troubleshooting is often given by the operating system rather than the software, according to Chester Wisniewski, a principal research scientist at Sophos. Apple, for example, would be accountable for iPhone issues and Google for Android issues because they use Safari and Chrome, respectively.
According to Nick DeLena, partner at consulting firm DGC who specializes in cybersecurity and privacy, keylogging is often seen as a violation of privacy, and when an app or service is found to be employing it, they’re usually forced into another means of debugging. According to DeLena, the risk with TikTok’s software is especially great because the Chinese government has a stake in TikTok’s parent company, ByteDance.
Whether or if TikTok is solely using the capacity for debugging, it may still represent a security risk to organizations. According to Tim Mackey, chief security strategist at Synopsys, if the program is used at work, sensitive corporate information may be included in the keylogging data packet. While many companies prevent certain apps or services from being downloaded on work devices, managing the growing remote workforce may be problematic. The transition has deepened the divide between work and personal life.
Wisniewski emphasized that people are increasingly using personal phones or tablets for work-related tasks and may be unaware of potential risks, saying, “It only takes a minute to be confused about whether you’re currently in the company web browser, or you might be in the in-app TikTok browser by accident and start doing company stuff, and that’s a huge risk to data leakage.”
We hope that you enjoyed this article on possible TikTok breach raises questions about data leaks and security. If you did, we are sure that you will also enjoy reading some of our other articles, such as Apple iPhone security flaw fix for zero-day bug has been released, or Zoom Mac vulnerability allows hackers to gain remote access.
