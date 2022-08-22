TikTok has rapidly become one of the most important players in social media. — © AFP

Disturbing information from a software and security researcher indicates that Tik Tok opens an in-app browser able to monitor keystrokes and passwords. This is a major security issue, and it’s also very much an issue of trust.

The researcher found that the in-app browser is able to monitor many different types of user activity. There’s no positive spin on this information. This is by definition a security risk.

Even if the in-app browser was considered safe (apparently it isn’t) it could be hijacked or have security flaws of its own. This is a perfect mix of risks. Either the in-app browser is a potential problem or third parties exploiting it are a problem or both.

How did this happen?

This situation is almost inexplicable. Given the decades of problems with online security, (there’s a contradiction in terms if ever there was) it’s almost suicidal to have any keylogging software on a public app is incredibly naïve at best.

Surveys have recently shown that 9 out of 10 people know someone who’s been hacked. That is hardly a picture of robust security. If a huge global thing like Tik Tok is also a risk, the hacking odds for users just got a lot worse.

Much worse from Tik Tok’s own perspective is that this revelation makes Tik Tok a natural target for hackers. A built-in keylogger is a labor-saving device for hackers and a virtual blank check for exploitation.

It is possible in the surveillance culture that the keylogger could theoretically be used as a security tool. You could record attempted hacks, one key at a time, in theory. It’s hardly the best option, though. How do you use keylogging for millions of users and expect to get useful information quickly or use it in real-time to block a hack?

More likely, this is a standard commercial system, designed to record user behavior, ad clicks, etc. That creates an additional risk, where hackers can follow users into commercial sites and compromise their SSL processes.

The other problem here is also a major risk for Tik Tok; if their in-app browser is a party to any theft or attacks on users, they could be held responsible. It’d be a very interesting and extremely expensive class action.

Tik Tok is a Chinese hosting service. Exactly how much compliance with privacy and security laws can be forced on Tik Tok is highly debatable. It’s quite possible that Tik Tok may also be constrained by Chinese requirements for default social credit surveillance data, which would explain the keylogger.

That’s not at all useful to international users. The internet isn’t exactly safe, and anyone inside or outside China can take advantage of this glaring security risk if they know how.

Let’s hope someone knows how to defuse this online IED, because it’s not looking good.

