Mining in plain sight

Major security flaws and deliberate exploitation strategies in our most popular apps

People like free stuff. Love it, actually. That quality is one of our greatest exploitable weaknesses, luring us into traps time and time again. Combine that weakness with our desperate and increasing need for instant gratification, and you got yourself a data mining gold rush, severed fingers and all. Most people don’t spend much time thinking about why products might be free and download those apps with reckless abandon. The nightmare scenario. If you’re reading this, you’re hopefully somewhat familiar with the concept of “being the product” and I will save us all the intro.

Apps and corporations like Facebook, Instagram, TikTok, Houseparty, Zoom, and Yahoo! serve as access points for massive data aggregation across the globe, either sitting on that data themselves or channeling them into companies like LexisNexis, Accenture, and ChoicePoint which then turn those data into cash for their corporate clients via targeted ads, mailing lists, consumer profiles, and data driven business expansion.

Many of these apps are designed to appear deceptively user-friendly, posing no obvious threat and thus triggering no suspicion. Of course users can and should do their part to shield themselves from exploitation: limiting permissions (does your weather app really need microphone access?) and frequently checking the data that’s getting sent out. But many older users are less than tech savvy, and many apps are designed specifically to appeal to young consumers who install all kind of malignant spyware with little supervision or informed oversight.

To gain a better understanding of these issues, we’ll take a closer look at one of the most popular apps ever created: TikTok. With close to 2 BILLION downloads, the pool of potential victims is virtually bottomless. TikTok is owned by ByteDance, a Chinese media giant that maintains close ties to the CCP and, much like Facebook, regularly shares its accumulated data with various oppressive regimes. If that isn’t enough to make you take a pass, we can make it more personal. Your data isn’t your data. You gave up all privacy when you enthusiastically agreed to the EULA you didn’t read (wait, what’s EULA again?). Maybe you don’t even care about your personal data being shared with corporations, maybe you see no harm in it, maybe you think you have nothing to hide (spoiler alert: you do but I came here to drag TikTok). So let’s make it even more personal: in addition to data mining concerns, there are glaring security vulnerabilities in TikTok’s code base, allowing attackers to use a link in the messaging system to send users messages that appeared to come from TikTok. In a 2020 study by CheckPoint, researchers tested those weaknesses by SMS spoofing messages containing malware that let them take control of accounts, uploading content, deleting videos and making private videos public. They were also able to send a link using deep link schemas, including custom links that contain a URL parameter, the app will open a browser window and follow the malicious link.

Deep link schema in TikTok Android App

Any request will be sent directly using the users’ cookies, allowing bad actors to send requests posing as the user.

Parsed deep link

Other vulnerabilities include open redirection via domain regex bypass, opening the user up to Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Sensitive Data Exposure without user knowledge or consent. For the average TikTok user, these hacks are indetectable. The spoofed sites look almost identical to the originals and people have a high level of trust in the apps they put on their devices. Technological ignorance and herd mentality are key players, leading us to the assumption it must be fine since everyone is using these apps.

As developers, and as end users, we need to be aware of these features posing as bugs. Companies’ paramount interest is to generate shareholder profits. Ethics tend to take a backseat to revenues, and it is often up to the individual dev teams to make ethical choices that protect consumers from predatory business practices. As consumers, we have the choice to refuse to engage with those companies, pay for services by ethically sound providers, draw public attention and scrutiny to the bad guys, and protect ourselves against direct attacks. When you have no choice but to use these often rather popular apps, do not use real names or primary email addresses, disable location services, disable background usage, uninstall infrequently used apps between uses, quit Zoom after every meeting, get lens covers, don’t link accounts, check your children’s (and parents’) devices regularly, and continue to educate yourself about the security aspects of programming, even when it’s not your professional area of expertise. We all have an obligation to make the internet the best it can be.

Software Engineer. Creature of Havoc.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store