Is the user’s crypto at risk?
TikTok continues to gather momentum, with the popular social media application surpassing one billion users in 2022. While everyday users happily swipe through the latest videos from their favorite content creators, data security concerns continue to raise questions about the Chinese social media behemoth.
The company has faced criticism over the past couple of years over security concerns over data collection policies despite its popularity and prolific on-boarding of users worldwide. Cryptocurrency users have also questioned whether critical data such as private keys to wallets could be scraped by the alleged data practices of TikTok.
US Federal Communications Commissioner Brendan Carr called on Apple and Google to remove TikTok from their app stores by June 2022, claiming the app “harvestes reams of sensitive data that new reports show is being accessed in Beijing.”
TikTok is not just another video app.
It’s the sheep’s clothing.It harvests volumes of sensitive data that new reports show is being accessed in Beijing.
I have called @Apple & @Google to remove TikTok from its app stores due to its pattern of secret data practices. pic.twitter.com/Le01fBpNjn
— Brendan Carr (@BrendanCarrFCC) 28 June 2022
Two years before this, cyber intelligence firm Check Point Research released a report highlighting vulnerabilities in the TikTok application. This included the ability to take control of TikTok accounts and manipulate their content, delete and upload unauthorized videos, make private “hidden” videos public, and access private email addresses and mobile numbers.
The firm shared these discovered exploits with TikTok in late 2019, and the company deployed fixes for the vulnerabilities. Check Point Research told Cointelegraph that it has not conducted further investigations into TikTok’s code since the original investigation.
TikTok uses HackerOne to reward code seekers through its bug bounty program. The initiative rewards the discovery of security vulnerabilities, with different reward bands for the severity of the flaw discovered. Since the current bounty table was created in October 2021, TikTok has paid out $539,000 in bug bounties.
Related: Former head of TikTok games leaves Web2 to build core Web3 protocol
Cointelegraph reached out to TikTok to comment on concerns expressed about data security and fundraising practices. A spokesperson for the company shared a wide range of published resources that address the topic of data collection practices and claims against them.
TikTok stores user data in Singapore and the US and uses access controls including encryption and security monitoring by the US security team. Access to this data is behind a number of control mechanisms, and the company claims that user data is not available in China, as has been claimed by individuals such as the FCC’s Carr in America.
The spokesperson also noted that the application’s clipboard access is controlled by the user, instead of a July 2022 Financial Review report that claimed this feature was automatically enabled by TikTok. The fear of potentially risking confidential messages or passwords copied to a user’s clipboard.
Coins are not at risk, but phishing is a reality
Cryptocurrency users can breathe a sigh of relief, as security experts agree that using or having TikTok on a mobile device does not directly put cryptocurrency wallets and exchange apps at risk of being compromised.
Bree Fowler has been following TikTok data issues as a senior cybersecurity and privacy writer for CNET for the past couple of years. The journalist believes that TikTok users should not be worried about using other apps alongside TikTok, telling Cointelegrap:
“Government-sponsored hackers are not going to go after ordinary people like this. I would be more concerned about shady crypto apps and exchanges. It’s much easier to just send phishing emails.”
Fowler warned users to deny TikTok tracking activity across devices as an extra precaution, change the app’s privacy permissions, and store cryptocurrency in offline (cold) wallets.
Cointelegraph also reached out to cybersecurity firm Kaspersky’s security expert Anna Larkina, who believes it is beneficial in the questions posed to TikTok’s data collection policy:
“The amount and type of data that TikTok collects on users imposes a corresponding degree of responsibility for their security. There seems to be a need for maximum transparency in where exactly this data goes, especially if we are talking about third parties, which is extremely difficult to trace.”
Larkina noted that the sum of all this data contains a significant amount of information about an individual user, and the potential costs of a data leak should not be taken lightly.
The biggest threat highlighted by both experts is the potential for user data to be compromised and then used in coordinated phishing attacks. With the amount of information stored by TikTok, including which applications are installed on your device, attackers can potentially plan targeted attacks on individual users.
Larkina also warned users not to copy and paste login and password details on devices that have TikTok installed and to limit the app’s ability to collect data.
Politically charged situation
Politics has been intrinsically linked to the situation surrounding TikTok and its popularity and use around the world. Former US President Donald Trump’s administration moved to ban TikTok and WeChat from operating in America, bringing the issue to a head.
Fowler believes it is unclear whether concerns that have been raised over the past two years are justified, and that political motivations also play a role. While most associate TikTok with harmless videos that have captivated young audiences, Fowler remained skeptical of the situation:
“On the surface, it doesn’t seem super personal or that it would be of any use to the Chinese government. But the more information a group or person has about you, the more they can use it to their advantage, whether it’s for data mining, cybercrime or more nefarious purposes.”
Given TikTok’s massive reach, the platform has also become a prime advertising avenue for the cryptocurrency space. Binance made headlines in June 2022 when it entered into an ambassadorship agreement with TikTok’s most followed influencer Khaby Lame to create Web3-focused educational content.
The platform also joined the NFT (nonfungible token) universe with its own collection of NFTs from a handful of its most prominent content creators, celebrities and influencers in September 2021.