Security of TikTok embeds

magic9mushroom · Sep 4, 2024

It appears that QQ now supports TikTok embeds.

Vanbers said:
Behold, the bane of SB Moderators:

View: https://www.tiktok.com/@potatoblast/video/7343899144932560161

Link

TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

riotous living · Sep 4, 2024

magic9mushroom said:
TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

No idea about the spyware part, but if you use security extensions like Privacy Badger it auto-blocks the popup on firefox and chrome.

Even if I click allow once FireFox/other extensions block it from loading

TMTMTM · Sep 4, 2024

magic9mushroom said:
It appears that QQ now supports TikTok embeds.

TikTok is known Chinese spyware and possibly a Great Cannon of China vector. I am greatly concerned that QQ is embedding active TikTok code on the site. I don't want to have to shut down JavaScript on QQ just to ensure I have zero contact with TikTok's systems (the video autoplayed when I opened the spoiler; I was expecting screenshots or a link).

Discuss/assuage/act/etc.

To be frank, TikTok isn't any more spyware than YouTube or any other average big tech website. Your data is and has been open for purchase long before TikTok and TikTok probably won't change that. The main reason TikTok has a reputation for spyware is because it's a Chinese company and anti Chinese sentiment is a very popular political tool regardless of circumstance.

As for the cannon DDoS thing, china doesn't need a vector for that. They just do it. Having a website is a Vector for DDoS attacks, because to have a website you have an address which can receive traffic.

magic9mushroom · Sep 4, 2024

TMTMTM said:
As for the cannon DDoS thing, china doesn't need a vector for that. They just do it. Having a website is a Vector for DDoS attacks, because to have a website you have an address which can receive traffic.

I think you may be misinterpreting what I mean by "vector for the Great Cannon", and ignorant of the full extent of the Great Cannon.

The Great Cannon is the weaponisation of the Chinese internet backbone; certain key nodes are compromised, and will stochastically inject hostile data. This may be a redirect to perform DDoS, but it may also be malware. I am referring to the compromised nodes that inject data as "vectors" for the Great Cannon. I legitimately do not know if TikTok's servers are behaving as such a vector; ByteDance is in deep enough with the CPC (the reason they haven't sold TikTok is because the CPC ordered them not to) that it's plausible, but the Great Cannon vectors I know about are men-in-the-middle (typically Chinese ISPs and such) rather than endpoints.

Due to the Great Cannon, I do not want to touch any website whose servers are physically in Mainland China (due to the Great Cannon vectors in-between me and them), and I do not want to touch any server run by somebody that is known-loyal to the CPC. Any such contact is "run a full virus scan and pray" land for me, and when dealing with nation-state actors one has to pray pretty hard that the virus scan would actually catch it.

And yes, the Five Eyes also do this to some extent, but that's totally unavoidable for someone physically in the Anglosphere (as I am) or accessing a site physically in the Anglosphere (as QQ is), and also is significantly less of a problem since the Equation Group is well-known for avoiding collateral damage if at all possible.

TMTMTM · Sep 4, 2024

magic9mushroom said:
Due to the Great Cannon, I do not want to touch any website whose servers are physically in Mainland China (due to the Great Cannon vectors in-between me and them), and I do not want to touch any server run by somebody that is known-loyal to the CPC. Any such contact is "run a full virus scan and pray" land for me, and when dealing with nation-state actors one has to pray pretty hard that the virus scan would actually catch it.

As someone currently studying csec I can tell you upfront that you're being comically paranoid. It's also worth noting that china has a vested interest in not killing it's economy by burning any goodwill they have with ISPs globally. And no, visiting a site can't install malware on your PC unless you're running a unupdated copy of windows Vista or something. Just install a noscript addon on your browser if you're truly worried about it.

magic9mushroom · Sep 4, 2024

TMTMTM said:
It's also worth noting that china has a vested interest in not killing it's economy by burning any goodwill they have with ISPs globally.

Those incentives turn on their head if the jig's soon to be up anyway (which, on checking the date, isn't actually completely out of the cards right now), and in any case the PRC has a noted pattern of "ignore norms, laugh as Westerners eat their shit in order to get access to the Chinese market".

TMTMTM said:
And no, visiting a site can't install malware on your PC unless you're running a unupdated copy of windows Vista or something.

I am suspicious of this logic when state-level actors are involved. This is part of why I'm more worried about TikTok than I would be about, say, YouTube (the other part is that, well, Google doesn't have much of a motive to deploy a Great Cannon of its own).

alethiophile · Sep 5, 2024

Huh.

I had not really realized that the server now supported Tiktok embeds. Unfortunately, this functionality comes from an addon that supports a wide variety of media sites, and there isn't an easy way to select them on or off one by one.

I currently rate the probability of malicious software in the Tiktok embed as nonzero, but not high enough for ordinary users to bother with. However, for people who estimate it differently, I endorse the use of a blocker addon to turn off the embed client-side. (This is more complicated on mobile, but should still be possible with the right DNS shenanigans.)

1986ctcel · Sep 5, 2024

This thread's OP: "EVIL CHINA WILL NUKE EVERYONE'S COMPUTERS! TIK TOK IS SPYWARE/MALWARE!"

Meanwhile, Murrican corporations are actively installing spyware on peoples' smartphones so they can use the microphones to listen to your IRL conversations to harvest more data to sell to advertisers

https://futurism.com/the-byte/facebook-partner-phones-listening-microphone

In a pitch deck to prospective customers, one of Facebook's alleged marketing partners explained how it listens to users' smartphone microphones and advertises to them accordingly.

As 404 Media reports based on documents leaked to its reporters, the TV and radio news giant Cox Media Group (CMG) claims that its so-called "Active Listening" software uses artificial intelligence to "capture real-time intent data by listening to our conversations."

"Advertisers can pair this voice-data with behavioral data to target in-market consumers," the deck continues.

In the same slideshow, CMG counted Facebook, Google, and Amazon as clients, though it didn't specify whether they were involved in the "Active Listening" service. After 404 reached out to Google about its partnership, the tech giant removed the media group from the site for its "Partners Program."

Together with this latest update to the CMG saga, these stories bolster longstanding suspicions about advertisers using our phones to listen to us.

"We know what you're thinking. Is this even legal?" a since-deleted Cox blog post from November 2023 noted. "It is legal for phones and devices to listen to you. When a new app download or update prompts consumers with a multi-page term of use agreement somewhere in the fine print, Active Listening is often included."

Beyond taking a big game, CMG did not cop to how it acquires its alleged voice data, instead saying only that it can identify users who are "ready-to-buy" and create targeted ad lists based on their interests. For this service, the media group that specializes in hyperlocal news charges $100 per day to target folks in a 10-mile radius, and $200 per day to target those in a 20-mile radius.

Given that the company boasted about it on its public — and still archived — website before anyone began paying attention, however, it seems like it would be pretty hard at this juncture to deny that it was charging for its eavesdropping services.

Users with functioning brains know what the real privacy threat is that they need to worry about and it's not fantasies about China nuking the internet with a DDOS attack or installing shit on your computer through TikTok embeds.

TMTMTM · Sep 5, 2024

magic9mushroom said:
I am suspicious of this logic when state-level actors are involved. This is part of why I'm more worried about TikTok than I would be about, say, YouTube (the other part is that, well, Google doesn't have much of a motive to deploy a Great Cannon of its own).

Microsoft and Google already have literally all your possible data, including keystrokes. Are you aware of just how much telemetry data Windows ends up phoning home with? Or Google for that matter? That's how you get leaks like that recent data broker one where over a million social security numbers were leaked because the broker had the passwords in a unsecured zip file visible via page inspection.

Incompetence of companies you've never (and have, for that matter) heard of is a greater threat to your security than a Chinese Boogeyman will every be, statistically speaking.

magic9mushroom · Sep 5, 2024

TMTMTM said:
Microsoft and Google already have literally all your possible data, including keystrokes.

I don't think Google has my keystrokes except for those I've put into Google sites. I'm using Ungoogled Chromium, which has all Google's spyware removed.

Microsoft definitely does; it's not worth the changeover costs for this computer, but the next computer I have will be Linux.

TMTMTM said:
Incompetence of companies you've never (and have, for that matter) heard of is a greater threat to your security than a Chinese Boogeyman will every be, statistically speaking.

Beyond what I've already noted (i.e. it is currently September 2024), I'm not going to be drawn into a lengthy discussion of world politics on a board that bans politics. I'm hoping I wind up looking the fool, and there's a reasonable chance I do, but I'm not counting on it.

alethiophile said:
However, for people who estimate it differently, I endorse the use of a blocker addon to turn off the embed client-side.

I'm not really that up-to-speed with addons; could you (or someone else) suggest a decent one for Chrom(ium)?

1986ctcel said:
Users with functioning brains know what the real privacy threat is that they need to worry about

I will note that there can be (and is) more than one privacy threat; that there are problems with X does not mean that there are no problems with Y.

(Also, I have no smartphone and no Facebook.

)

raiz delasol · Sep 5, 2024

What adblocker should i download or what do you recommend for mobile. It been heating my phone up when I opened the videos

alethiophile · Sep 5, 2024

magic9mushroom said:
I'm not really that up-to-speed with addons; could you (or someone else) suggest a decent one for Chrom(ium)?

Someone up-thread suggested Privacy Badger. I just tried it with uBlock Origin, basically the standard; it doesn't block it by default, but you can add the custom filter:

Code:

||tiktok.com^$3p

Note that uBlock Origin, and maybe others, might have problems in Chrome due to the upcoming Manifest v3 issue. I don't know how or whether that will apply to Ungoogled Chromium.

TMTMTM · Sep 5, 2024

magic9mushroom said:
Beyond what I've already noted (i.e. it is currently September 2024), I'm not going to be drawn into a lengthy discussion of world politics on a board that bans politics. I'm hoping I wind up looking the fool, and there's a reasonable chance I do, but I'm not counting on it.

I may have come off as a bit hostile, I would like to clarify I don't think you're stupid or foolish for your concerns. I just think you're being a bit more paranoid than is probably warranted. As long as you have a good advert and a good tracker blocker installed you're already gonna be safe from 90% of common internet threats assuming you don't click or download and run anything excessively suspicious.

As for blockers, Unlock origin plus Ghostery. Ghostery has a adblocker and a tracker blocker, but you can (and should) disable the adblocker to just get the trackers blocked.

raiz delasol said:
What adblocker should i download or what do you recommend for mobile. It been heating my phone up when I opened the videos

I recommend downloading Firefox and just watching videos on there. The mobile version of Firefox supports Unlock.

Security of TikTok embeds

More options

magic9mushroom

BEST END.

riotous living

agamemnon hater

TMTMTM

Directed by Dick Wolf

magic9mushroom

BEST END.

TMTMTM

Directed by Dick Wolf

magic9mushroom

BEST END.

alethiophile

Shadowed Philosopher

1986ctcel

Connoisseur.

TMTMTM

Directed by Dick Wolf

magic9mushroom

BEST END.

raiz delasol

Empty with a grain of salt

alethiophile

Shadowed Philosopher

TMTMTM

Directed by Dick Wolf

Users who are viewing this thread