If you’re using a password-manager (like we’re supposed to!) and use it to copy passwords (say, your Amazon employee internal credentials...) while you have TikTok open, the TikTok app would see it and could upload it somewhere.
...and we only know about this issue now because iOS 14 adds clipboard snooping notifications - and that was only a month ago! Think about the stuff that the app could be doing that we don’t yet know about.
There’s too many bloody-obvious security vulnerabilities that are decades old but don’t get fixed until they either become a meme (like SQL Injection) or the platform vendor does something about it (iOS 14 clipboard notifications) - and don’t forget that the SIGINT community is sitting on millions of dollars worth of zero-days that they won’t disclose to vendors unless they feel like it - so I fully expect there to be more surprises in TikTok - and other apps - in the years to come - probably indefinitely.
For one, the clipboard snooping problem.
If you’re using a password-manager (like we’re supposed to!) and use it to copy passwords (say, your Amazon employee internal credentials...) while you have TikTok open, the TikTok app would see it and could upload it somewhere.
Your password should never be in your clipboard at least with iOS. If you’re using either the native password manager or a third party password manager, the password manager is directly integrated with the keyboard and would auto fill into your app.
I use the native password manager–iCloud Keychain. Sometimes I need to copy passwords out of Settings for the handful of circumstances that it doesn't work.
Android does this too. On neither platform does it work 100% of the time, especially in browsers. That's why almost all clipboard managers also have a "copy to clipboard" feature from the autofill view.
It rarely fails for me in the browser, but it fails on me regularly for apps.
The ones that particularly annoy me are the ones that haven't updated to the new Android biometric API versus just supporting the old fingerprint API. I'm looking at you Chase mobile app.
It's usually a result of the webpage doing stupid stuff to try to explicitly block password managers. There's a lot of banking and government websites that believe this makes things more secure somehow.
Several years ago I tried to register for a website that refused to accept a change of more than one character at a time, using onkeyup and other events to ensure you couldn't fill it in any way other than one letter at a time (fortunately this was only on the asking setup page; it works fine with logging in). After every change in value, it compared the current length to the previous length, and rejected it if the difference was more than one.
It works maybe 90% of the time for me. It seems like a lot of websites don't configure their forms correctly and neither apple password manager nor 1pass detect the field as a password field.
So, like LinkedIn and Reddit? (the site that the "researcher" behind these NYT-cited claims is using) [1] You could run through the toplist of apps and find hundreds that exhibit the same behavior.
Not trying to derail this via whataboutism, I just feel like the core HN ethos is lost when we mindlessly repeat the obvious geopolitically-driven narrative here without any critical thinking.
What I definitely do understand is Amazon's concerns with just the base level of data collection that's seemingly the norm in our industry. Which prompts the quesiton, why are we comfortable as a society with this sort of collection, by anyone?
TikTok specifically has ties to the Chinese state apparatus that are concerning, similarly to Huawei. This isn't a blanket statement about Chinese companies in general - just those companies in particular. Specifically, this means these companies' products are likely to be tools of PRC state intelligence and the PRC's foreign-policy directives. The same cannot be said about other Chinese companies and similarly positioned companies in other countries.
This wouldn't be as big an issue if the PRC was a NATO ally, or least had a reputation for government transparency and accountability - and wasn't asserting ridiculous territorial claims - and didn't have an egregious human-rights record - and wasn't actively suppressing freedom-of-expression - and so on. Take away a couple of these issues and TikTok's suspicious business conduct over the past few years would be about the same level as scummy American Freemium game makers. I stress that (and despite appearances) I'm trying not to make a Sinophobic argument.
At the same time, I recognize that companies in China need to integrate themselves with the CCP/PLA/etc in order to succeed in that market.
"The same cannot be said about other Chinese companies and similarly positioned companies in other countries.
"
What are other companies? Those that doesn't pose a threat? like those ones only produce cheap toys and clothes?.
I think as long as Chinese government remain as independent and "different", anything comes out of there that really challenges current status quo would receive similar criticism like yours, regardless what or how those company behaves. Curious how do you recognize those companies "need to integrate themselves with the CCP/PLA/etc"?
TikTok has been caught slurping data on a level that’s an order of magnitude worse than Facebook, etc. Add its close ties to the enormously corrupt and evil CCP, and I find it easy to see why Westerners are unnerved by the app. Perhaps Tiktok could open-source its tracking library as a token of good faith.
That the others are doing it too doesn't make it right.
Really Apple should take a stand and give all of them 30 days to fix their apps or get banned.
But TikTok annoyed me in particular for a long time. Nothing to do with geopolitics, I already hated it before I knew it was owned by China and everyone started banning it.
It was just that for the past months every time someone forwarded me a stupid video I was supposed to like, it had a TikTok logo on it. So in my view this became the source of "stupid videos people bother me with". Not exactly a charming quality.
Especially with the lockdown it became extra annoying, every day I got multiple stupid lockdown videos and the ones with people doing stupid stuff and then the coffin dancers thing.
So that's my personal reason for hating on TikTok. The privacy revelations just sealed the deal. Not saying it's a valid reason for everybody but it's my reason :P
> It was just that for the past months every time someone forwarded me a stupid video I was supposed to like, it had a TikTok logo on it. So in my view this became the source of "stupid videos people bother me with". Not exactly a charming quality.
This quote comes to mind:
> I used to be with ‘it’, but then they changed what ‘it’ was. Now what I’m with isn’t ‘it’ anymore and what’s ‘it’ seems weird and scary. It’ll happen to you!
I never liked TikTok or this kind of random videos or pics people share. No matter where they came from (it used to be a site called "Dumpert" in the Netherlands before which is also on my "highly annoying" list). I'm just too polite to tell them to piss off with their videos :P That's really the core problem here.
But TikTok associates itself by putting their logo on the videos which is something I haven't seen before.
> But TikTok associates itself by putting their logo on the videos which is something I haven't seen before.
It's just content watermarking.
Watermarking is essential to preserve your brand online. I assume you remember eBaumsWorld - and how they put their watermark and footer on all image-content that they rehosted: because those images would appear verbatim in FW:FW:FW... chain emails and shared over AIM,YIM,MSN,IRC, etc.
Back in the day, eBaumsWorld and others were criticized for putting their watermark on content that they rehosted, especially when they didn't own, produce, or commission that content. At least the vast majority of the content on TikTok was directly uploaded to it, and TikTok's watermark includes the username of the relevant account.
Their animated logo is obnoxious and distracting - but when I compare it to the DOGs on American TV news channels it isn't so bad, it's actually unobtrusive in comparison.
For amazon if Tiktok does it , it is state funded corporate espionage. Amazon is not in position to sue and win over a Chinese company in China if they copy their IP. If LinkedIn does it and MS launches something copying their tech , amazon can sure use in US court and likely win so they are not concerned at the same level
If you’re using a password-manager (like we’re supposed to!) and use it to copy passwords (say, your Amazon employee internal credentials...) while you have TikTok open, the TikTok app would see it and could upload it somewhere.
...and we only know about this issue now because iOS 14 adds clipboard snooping notifications - and that was only a month ago! Think about the stuff that the app could be doing that we don’t yet know about.
There’s too many bloody-obvious security vulnerabilities that are decades old but don’t get fixed until they either become a meme (like SQL Injection) or the platform vendor does something about it (iOS 14 clipboard notifications) - and don’t forget that the SIGINT community is sitting on millions of dollars worth of zero-days that they won’t disclose to vendors unless they feel like it - so I fully expect there to be more surprises in TikTok - and other apps - in the years to come - probably indefinitely.