TikTok continues to gather a head of steam, with the popular social media application surpassing one billion users in 2022. While daily users blissfully swipe through the latest videos from their favorite content creators, data security concerns continue to ask questions of the Chinese social media behemoth.
The company has faced criticism over the past couple years relating to security concerns over data collection policies despite the popularity and prolific onboarding of users around the world. Cryptocurrency users have also questioned whether critical data like private keys to wallets could be scraped by the alleged data practices of TikTok.
United States Federal Communications Commissioner Brendan Carr called for Apple and Google to remove TikTok from their app stores in June 2022, claiming the app “harvests swaths of sensitive data that new reports show are being accessed in Beijing.”
TikTok is not just another video app.
That’s the sheep’s clothing.
It harvests swaths of sensitive data that new reports show are being accessed in Beijing.
— Brendan Carr (@BrendanCarrFCC) June 28, 2022
Two years prior to this, cyber intelligence firm Check Point Research released a report highlighting vulnerabilities within the TikTok application. This included the ability to take control of TikTok accounts and manipulate their content, delete and upload unauthorized videos, make private “hidden” videos public as well as gaining access to private email addresses and mobile numbers.
The firm shared these discovered exploits with TikTok in late 2019 and the company deployed solutions to the vulnerabilities. Check Point Research told Cointelegraph that it has not conducted further research into TikTok’s code since its original examination.
TikTok uses HackerOne to reward code sleuths through its bug bounty program. The initiative rewards the discovery of security vulnerabilities, with different reward bands for the severity of the bug discovered. Since the current bounty table was instituted in October 2021, TikTok has paid out $539,000 in bug bounties.
Cointelegraph reached out to TikTok for comment on concerns expressed about its data security and collection practices. A company spokesperson shared a broad range of published resources addressing the subject of its data collection practices and claims against it.
TikTok stores user data in Singapore and the U.S and employs access controls including encryption and security monitoring from its American-based security team. Access to this data is behind a number of control mechanisms and the company maintains that user data is not accessible in China, as has been claimed by individuals like the FCC’s Carr in America.
The spokesperson also noted that the application’s clipboard access is controlled by the user, in lieu of a report from the Financial Review in July 2022 that claimed this function was automatically enabled by TikTok. This could potentially risk any confidential messages or passwords copied onto a user’s clipboard.
Coins not at risk but phishing is a reality
Cryptocurrency users can breathe a sigh of relief, as security experts agree that using or having TikTok on a mobile device does not directly place cryptocurrency wallets and exchange apps at risk of being compromised.
Bree Fowler has been following TikTok data concerns as a senior cybersecurity and privacy writer for CNET over the past couple of years. The journalist believes TikTok users should not be concerned about using other apps alongside TikTok, telling Cointelegraph:
“State sponsored hackers aren’t going to go after regular people this way. I’d be more worried about shady crypto apps and exchanges. It’s much easier to just send phishing emails.”
Fowler warned users to deny TikTok from tracking activity across a device as an added precaution, to review the app’s privacy permissions and store cryptocurrency in offline (cold) wallets.
Cointelegraph also reached out to cybersecurity firm Kaspersky’s security expert Anna Larkina, who believes there is merit in the questions being asked of TikTok’s data collection policies:
“The amount and type of data that TikTok collects about its users imposes a corresponding degree of responsibility for their safety. There does appear to be a need for maximum transparency in where exactly this data goes, especially if we are talking about third parties, which is extremely difficult to track.”
Larkina noted that the sum of all this data holds a substantial amount of information about an individual user, with the potential cost of a data leak not to be taken lightly.
The biggest threat highlighted by both experts is the potential for user data to be compromised and then used in coordinated phishing attacks. With the amount of information stored by TikTok, including what applications are installed on your device, attackers could potentially plan targeted attacks on individual users.
Larkina also warned users not to copy and paste login and password details on devices that have TikTok installed and to limit the app’s ability to collect data.
Politically charged situation
Politics have been intrinsically tied into the situation around TikTok and its popularity and use across the world. Former U.S. President Donald Trump’s administration moved to ban TikTok and WeChat from operating in America, which thrust the issue to the fore.
Fowler believes it’s unclear whether concerns raised over the past two years are warranted and that political motivations are at play as well. While most associate TikTok with harmless videos that have captivated young audiences, Fowler remained skeptical of the situation:
“On the surface, that doesn’t seem super personal or that it would be of any use to the Chinese government. But the more information any group or person has about you, the more they can use it to their advantage, whether it be for data mining, cybercrime, or more nefarious purposes.”
Given TikTok’s massive reach, the platform has also become a prime advertising avenue for the cryptocurrency space. Binance made headlines in June 2022 as they struck an ambassador deal with TikTok’s most followed influencer Khaby Lame to create Web3-focused educational content.
The platform also plugged into the nonfungible token (NFT) universe with its own collection of NFTs from a handful of its most prominent content creators, celebrities and influencers in September 2021.