this post was submitted on 09 May 2024
466 points (99.2% liked)

Technology

59219 readers
2836 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Woozythebear@lemmy.world 21 points 6 months ago (3 children)

I'm so glad we banned tik tok so my data doesn't fall in the wrong hands.

[–] xep@kbin.social 28 points 6 months ago (1 children)

I know you're being flippant, but it's worth noting that there is a considerable difference between a company getting hacked like this and an app with unfettered access to the cluster to sensors that we've got in our pockets.

[–] Cavemanfreak@lemm.ee 9 points 6 months ago (2 children)

The thing with tik tok isn't only with the data China can gather from US residents. It's also how they can use that information to influence the populace and send them propaganda, for example influencing the election results.

[–] RagingRobot@lemmy.world 3 points 6 months ago (1 children)

They can also gather information about our politicians who use it and blackmail them to get what they want

[–] Cavemanfreak@lemm.ee 1 points 6 months ago (1 children)

Yep. But I guess it was already banned on government phones right? (not from the US, so I'm not all that up to date....)

[–] RagingRobot@lemmy.world 1 points 6 months ago

Yeah but our politicians have personal phones and computers too

[–] Woozythebear@lemmy.world -2 points 6 months ago (1 children)

Ok, what information could they gather and how would they use that to influence an election?

[–] Cavemanfreak@lemm.ee 7 points 6 months ago (1 children)

The section Methods on the Cambridge Analytica wiki page explains it pretty well. While it's not proven to be able to directly influence voting, it's effective at swaying people's opinions and emotions about subjects.

[–] Woozythebear@lemmy.world -2 points 6 months ago

So it's all bullshit then, got it.

[–] kibiz0r@midwest.social 8 points 6 months ago (1 children)

The ban is a dumb policy, but you’re daft if you think the security implications are at all similar.

TikTok was caught injecting a keylogger into their in-app browser and their response was “Well yeah, but we promise we’re not using it.”

[–] DriftinGrifter@lemmy.blahaj.zone 1 points 6 months ago (1 children)

doesent literraly every website with autocomplete search queries do this?

[–] kibiz0r@midwest.social 5 points 6 months ago (1 children)

No. This is analogous to cross-frame scripting.

So imagine you go to tiktok.com and you click on a link to bestbuy.com/cool-product-i-want-to-buy. But instead of taking you directly to bestbuy.com/cool-product-i-want-to-buy, it keeps you on tiktok.com and just opens an iframe with a keylogger injected into it.

So then when you enter credit card info into the bestbuy.com UI, the tiktok.com JS can see what you typed.

(This scenario is largely impossible these days, due to modern browser security.)

The difference is that if you witnessed this kind of XFS in your desktop browser, you might notice it because the location bar still says tiktok.com, because you never actually left the site. But in a mobile in-app browser, you don't need an iframe. You can inject JS directly into the browser itself, making it invisible to the user. As far as you can tell, you're on regular ol' bestbuy.com, not a modified version of it.

[–] DriftinGrifter@lemmy.blahaj.zone 2 points 6 months ago (1 children)
[–] kibiz0r@midwest.social 4 points 6 months ago* (last edited 6 months ago)

lmao, you asked.

I'm not a security expert, but my tech career has involved a lot of automated testing in weird scenarios, including iframe-based Facebook games and browser-based mobile apps. Automated tests face a lot of the same challenges that a malicious third-party would, so I know a little bit about how to get past them -- or rather, how to deliberately create vulnerabilities (in the dev build of your system) so that your tests can get past them.

Edit: I am curious why someone downvoted me on that one though. I can understand how my comment about the ban being dumb but TikTok also shipping a keylogger could anger people on one side or the other. But just explaining how in-app browsers revive a security problem that's been long-solved in standalone browsers?