back to article An email banning our staff from using TikTok? Haha, funny story about that, we didn't mean it – Amazon

Amazon today said an internal email banning its staff from using TikTok on smartphones connected to their corporate inboxes was sent in "error." The admission – or climb down, depending on how skeptical you are – came after the memo was obtained and leaked by journalists. The internet giant's IT department sent a note to some …

  1. Anonymous Coward
    Anonymous Coward

    and the Initials on the email are "IN".

    No doubt this was from someone in India, who have irrationally banned anything Chinese.

    1. Gene Cash Silver badge

      It's not irrational. TikTok does grab a ton of data.

      "We're proud that tens of millions of Americans turn to TikTok for entertainment"

      Why? That's like saying "We're proud that tens of millions of Americans babble about inconsequential trivia on Twitter" or "We're proud that tens of millions of Americans jerk it to PornHub" - who cares? It's not something to be proud of.

    2. Anonymous Coward
      Anonymous Coward

      Now if only

      Now if only there were an open source text/video chat app that used end-to-end encryption, didn't go through a central server, and maybe even made its communication look like inoculate traffic by piggybacking (stenographically?) on web browsing arbitrary websites...

  2. Peter Prof Fox

    Wonderful Pythonesque erruption.

    Hey folks. Did you realise that communicating with hundreds or thousands of people may not be 100.000% secure? WHATEVER the reason, it ain't going to be private for long. So on that basis, only the loons or stupids (may overlap) would bring out this sort of thing. An organisation can decide which side of the line it wants to be when communicating with employees:-

    (a) End to single-end encrypted to trusted employees who know what's coming to them if they blab

    or on the otherside.

    (b) anything else. (Fred Flob's Fitness Freakout is just as much a risk as China State Snoop-mail.)

    Stop pretending!

  3. macjules Silver badge

    Absolutely terrible!

    Using TikTok is unAmerican: it harvests a ton of data which it then sends back to the evil Chinese empire. Good Americans should use Facebook ... which collects a ton of data and then sells it to the evil Chinese empire.

    1. My other car WAS an IAV Stryker Bronze badge
      Thumb Up

      Re: Absolutely terrible!

      I would upvote you, but the count is at 42 and I wish not to disturb/disrupt Life, the Universe, and Everything. (We've had enough disruption lately.)

      1. TimMaher Bronze badge
        Trollface

        Re: Absolutely terrible!

        Upvote for that @Stryker.

        You could let the votes run to 66, which becomes 42 in hex.

  4. JimPoak

    Viva La Revolution

    It's interesting that many of these organizations who have in the past been fingered for reading the headers (Google) of emails are bitching that some else is doing what they been doing for decades. As for gathering intelligence it's no difference between the major database used to profile their users/victims and exploit them. It always end's the same way, you and up with a database of distorted half truths and garbage.

    On banning TikTok I suspect it's more to do with what they don't know rather than an identifiable threat. I'm all for social media, exchange of idea's (Even if some are flaky) with out having to publish a paper on it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Viva La Revolution

      ". As for gathering intelligence it's no difference between the major database used to profile their users/victims and exploit them."

      There is a difference: TikTok has a backdoor and ability to load files from mothership and execute them on command. Not your command but mothership command.

      AFAIK no other 'social media' program has that capability. And then you start to wonder why there is such a capability.

      Or at least you should wonder.

      1. Sandtitz Silver badge
        Stop

        Re: Viva La Revolution @AC

        "There is a difference: TikTok has a backdoor and ability to load files from mothership and execute them on command."

        You've written three very similar posts on this topic now. Please provide a valid reference to this backdoor.

        My feeble search results for "tiktok backdoor" produces a Forbes article with the 'backdoor' in its title (and nowhere in the article) and it refers to several vulnerabilities Checkpoint found earlier this year, with poor POST/GET input validation on their servers, XSS vulns and unvalidated SMS messages. The Checkpoint report doesn't state that these are backdoors and to me they just seem like vulnerabilities made by some sloppy coders with no thought for security.

        "AFAIK no other 'social media' program has that capability."

        I'm pretty sure most applications can contact their mothership and get additional instructions from there. Most of them use POST/GET commands anyway so downloading files and executing them (under the same security context) shouldn't pose a problem.

        1. John Brown (no body) Silver badge

          Re: Viva La Revolution @AC

          "You've written three very similar posts on this topic now. Please provide a valid reference to this backdoor."

          According to the Reddit link in the article, TikTok has the ability to download a zip file from the mothership, extract it and execute an extract binary file. I didn't read thr9ough the links to confirm with any further evidence that might have been presented though. So either the person you are speaking to has done so, or maybe is just basing it on that statement in the initial Reddit post.

  5. b0llchit
    Big Brother

    Pot, kettle and other colourful metaphores

    Alexa, please delete TikTok and install Ring.

  6. chivo243 Silver badge

    Another non-event distracting us

    Talk about mis-direction. Aren't there more important things to worry about besides how people are sharing cat vids and questionable selfies?

    1. Anonymous Coward
      Anonymous Coward

      Re: Another non-event distracting us

      "Talk about mis-direction."

      BS. I see you've no idea what the application can do: It has built-in backdoor and not only that, it can download and execute *any* file, remotely commanded.

      Basically owning your phone completely and silently. Too bad for your bank account or work network, those will be compromised too.

      With Tik Tok your phone is directly owned by CCP. That's kind of major thing to anyone who understands what it means.

      1. Dan 55 Silver badge
        Trollface

        Re: Another non-event distracting us

        Do you mean TikTok has root access so it can silently install and execute anything it downloads from the mothership? Please, do explain more...

        1. doublelayer Silver badge

          Re: Another non-event distracting us

          It wouldn't need root access to be able to do things you wouldn't like. I checked out its Exodus privacy report which shows information about permissions and trackers found in its Android app. That's quite a lot of permissions. Malware given access to those would be able to do lots of things, including making and inspecting network traffic. As with far too many Android apps, this app also requests permissions that don't seem to make any sense (install new packages, for example). From inside that sandbox, you can still do a lot.

          Now, just because this app requests those permissions doesn't necessarily mean that all are granted or that they work. Nor does it mean that there is something malicious using them. I wouldn't be surprised to hear that TikTok does have a mechanism allowing their developers to push arbitrary code and run it. I also wouldn't be surprised to hear that Facebook has a method to push arbitrary code and run it. I already know that Google does have several ways to push arbitrary code and run it. As with any other application, the degree of trust in its developer and usefulness of the features must be taken into account before deciding whether to use it. I wouldn't trust it, but I also have no inclination to use it and there are already hundreds of other companies' apps that I also don't trust.

          1. Dan 55 Silver badge

            Re: Another non-event distracting us

            But it's nothing the app couldn't have done anyway with the permissions given to it by the user.

            1. doublelayer Silver badge

              Re: Another non-event distracting us

              Exactly. That's why trust in the base app is such an important detail. The only relevance to the "pull down arbitrary code" possibility is that someone else could get the code inserted, either by forcing the company to do so, stealing the mechanism, or discovering a vulnerability. The new code would not be released as a potentially detectable update either, making it easier to hide.

              I think the best example of such an issue is the vulnerability discovered in WhatsApp a little under year ago. Said vulnerability wasn't intentional (unless you are paranoid), and it allowed arbitrary code execution by crafting an invalid video file. That code would not be able to exit the sandbox of the app, but WhatsApp's sandbox is really big so it proved to be a useful exploit, weaponized by at least a couple groups. If TikTok had a similar mechanism intentionally or through a vuln, it could prove dangerous even if a user trusted the original app. Obviously, I do not know that such a thing exists, but if it did, it would be bad.

      2. Androgynous Cupboard Silver badge

        Re: Another non-event distracting us

        Again, provide a source for your claim or stop posting it. This isn't the Daily Mail, if you're going to make a claim you need to back it up.

        1. Androgynous Cupboard Silver badge

          Re: Another non-event distracting us

          A quick google and I expect our anonymous, paranoid-sounding colleague has been on the reddit forum linked to above. In particular they may have had a read through this research paper: https://penetrum.com/tiktok/Penetrum_TikTok_Security_Analysis_whitepaper.pdf

          I've had a read through. Yes, I can see they harvest a huge amount of information, but it seems to be harvested by a SAAS component from appsflyer, an American company. A bit shit, yes, but also seems a bit rich to point out a chinese company for harvesting data if they're using an american service to do so.

          As for the rest of the research from that paper, I would grade it "poor". They've established that a call is made to Runtime.getRuntime().exec(), but have failed to establish what for. I suspect this is the grounds for the breathless "can download and run ANYTHING !!?!?!" claim. They've also picked out use of the MD5 hash algo as some sort of evidence that Tiktok are cryptographically incompetent, which annoys me - MD5 is fine for general hashing, just not cryptographic hashing. Without analysis of how it's used it's a baseless claim.

          There are a few other areas which are a bit more concerning - a possible SQL injection in particular - but with virtually no analysis beyond what looks like a quick scan through after reverse-compiling, I'm left more concerned about the sorry state of todays reverse engineers than I am about TikTok. The "oooh, China" factor is getting in the way of any useful conclusions.

    2. big_D Silver badge

      Re: Another non-event distracting us

      And these are corporate phones, not the employees' private phones.

      Our company has a very tight policy on what apps are allowed and they have to be approved by the IT department - in fact, the users don't even get the password for the account used to sign up the phones to the Apple/Google store.

      1. Santa from Exeter

        Re: Another non-event distracting us @big_D

        I suspect that it might be exactly the reverse actually. The Article states 'Devices used to access Corporate e-mail'. I reckon that what Amazon are actually saying is that it's fine on a Work Computer, where we control security but not on you crappy spyware infested BYOD device.

        1. big_D Silver badge

          Re: Another non-event distracting us @big_D

          Again, here, only corporate devices are allowed to be used to access corporate email.

    3. DrXym Silver badge

      Re: Another non-event distracting us

      Turn the question around and ask yourself why you're compromising your own security and privacy to watch cat vids and selfies.

      And the security threat isn't just to the individual but in aggregate. Look at the way Cambridge Analytica stole data from Facebook (which itself hoovered it up from users) to send targeted ads to a small fraction of people in Leave.EU and Trump's presidential election, enough to swing a vote. Social media has been weaponised and it can undermine democracy.

      It's not hard to envisage how Tiktok could also do this, especially if it was under state control. But in general you are better off not putting social media apps on your phone, or at least denying them permission to limit their damage.

  7. Anonymous Coward
    Anonymous Coward

    "is feared the Chinese government can secretly subvert the stupidly popular software to spy on the West."

    Feared? Software that has capability to fetch zip-files from mothership and run them on command? That's not a fear, it's reality.

    That's literally a backdoor waiting for use.

    1. logicalextreme Bronze badge

      What do you think the "update" function on almost every piece of desktop software does? Your beef appears to be with HTTP itself, or possibly the fact that applications can execute code. I've found both of these features of the modern tech landscape almost indispensable over the past few years.

    2. Brewster's Angle Grinder Silver badge

      And there's a good chance that an app that has unlockable content will, when the content is purchased, download it, unzip it, and start running it.

  8. Winkypop Silver badge
    Coat

    I ate a whole bag of Chinese TikToks

    But I was hungry an hour later

    1. Anonymous Coward
      Anonymous Coward

      Re: I ate a whole bag of Chinese TikToks

      An attempt at humour, I suppose?

  9. Inkey
    Trollface

    Faceless evil

    Who are all the fear mongering AC's ...no really?

    This is the third article ive read this weekend where some ac tard has been making basless claims about how china are riffiling through all our digital comms... with no thought for the children or our democrecy and freedoms...

    do these tards have no faith in our western inteligence agencies and there contractors... our great and mighty tech giants and established social platforms?...... oh wait never mind

    1. Phil Kingston

      Re: Faceless evil

      I suspect they spend too much time dismantling SuperMicro mainboards looking for those secret chips to worry about such things.

      1. JCitizen Bronze badge
        FAIL

        Re: Faceless evil

        I doubt they even do that; I think they just try to code around it - unsuccessfully no doubt.

  10. Pascal Monett Silver badge
    Trollface

    Right

    "the US government believes the app, which has been downloaded more than a billion times worldwide, could be commandeered by the Chinese government to snoop on people "

    Totally unacceptable. Only the NSA has the right to snoop on people.

  11. Anonymous Coward
    Anonymous Coward

    "leaked by journalists"

    shurely shome mishtake ...

    Leaked by recipients, published by journalists

  12. Anonymous Coward
    Anonymous Coward

    Some Employees?

    Err, only "some"? Or is some 100%?

  13. big_D Silver badge

    Corporate policy

    What is wrong with banning software on corporate devices? We have very strict policies.

    Our company phones get the approved mail software and a couple of other apps installed, then they are locked down. If we want something like TikTok, we have to install it on our private phones.

    Still it has the advantage that we are supposed to leave our phones at work in the evening, or turn them off, when out of hours.

  14. Piro

    I've never used TikTok, I don't know what it is, and I really don't want to know.

  15. AgentMyth

    Bravo!

    I enjoyed this excellent work:

    Shock TikTok block clocked, unblocked as poppycock amid media aftershock

  16. Captain Scarlet Silver badge
    Mushroom

    Work devices

    Ah good so its not only ourselves that have a headache with MDM (Android Zero Touch and DEP my a**e, still slower than pre BB10 devices to setup).

  17. not.known@this.address Silver badge

    Pot, meet Kettle.

    (Although I should probably stop using that phrase... oh well.) I've lost count of the number of times I have been discussing something - anything - with family or friends and a short time later I start getting adverts for something related to the subject under discussion - or what Amazon *thinks* is related to the subject. Which, when discussing things like epic space battles, Things Man Was Never Meant To Know with their unholy cults, the possibility of ever going overseas on holiday again and whether Jar-Jar Binks' middle name really is "Fu**ing", can result in some entertaining ads popping up!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020