By partnering with the popular Chinese videosharing platform TikTok, Oracle will inherit a laundry list of security and privacy issues once the deal is approved, as soon as Sept. 20, by TikTok parent company ByteDance.
TikTok boasts 100 million users in the U.S. and 689 million globally.
Earlier this year President Trump threatened to ban TikTok, which some observers viewed as his way of seeking leverage in ongoing U.S./China trade war tensions. It came as no surprise the president endorsed Oracle (rather than interested suitor Microsoft). Company founder Larry Ellison is a major Trump fundraiser while CEO Safra Catz worked on the 2016 presidential transition team.
One area that security experts and Trump seem to agree is that TikTok is widely unsafe, with the president insisting in an Aug. 6 executive order that the app poses an economic and national security threat to U.S. interests.
“The TikTok deal appears to more about politics than actual economic advantage, nor does it appear to have been a real threat the national security,” commented Joseph Carson, chief security scientist and advisory CISO at Thycotic. “This deal places Oracle into the mix of large social media technology providers which will now put Oracle to the test about accountability and responsibility whereas Facebook, Twitter, Google, Microsoft and Apple have always been the target of ethical responsibility.”
Carson added that the deal will test whether Oracle is in favor of security and privacy or is in pursuit of pure economic advantages.
Among TikTok’s questionable security practices is using http rather than https to maximize data transfers, and GPS tracking. In December 2019, Check Point researchers discovered numerous TikTok vulnerabilities, including giving attackers the ability to upload or delete videos from user accounts and gain personal information. According to a published report, TikTok said it resolved such issues.
“I suspect personal data can still be collected,” said
Mark Ostrowski, Check Point’s head of engineering, U.S. East. On the other hand, after his company pointed out to TikTok security problems, coupled with other scrutiny, it’s possible its user data may be more secure than previously.
In regards to the safety of any social media platform, Ostrowski said users should be keenly aware of what type of data, trending and information could be gathered, and whether it’s acceptable on an individual basis.
“The fear is that the information in TikTok could provide more details than intended about people’s whereabouts or what they are up,” commented Chris Morales, head of security analytics at Vectra. “So really, it is data privacy and who has access to the data.” The key, he added, is who has access to that data.
Noting TikTok’s “infamous reputation” for security and privacy violations, Chris DeRamus, vice president of technology, DivvyCloud by Rapid7, suggested that
Oracle map its new infrastructure before the deal is finalized in order to safely integrate TikTok into its cloud environment.
“This means having a clear and comprehensive view of every piece of infrastructure within its ecosystem in order to identify all key security considerations,” DeRamus said.
Once Oracle and TikTok join forces, TikTok’s employees will need access to Oracle’s larger database, and vice versa, he noted.
“This means IT teams will need to ensure the proper access is granted to the proper individuals or teams,” DeRamus said. “Unfortunately, the complexity of the cloud infrastructure and cloud provider IAM (Identity and Access Management) tools makes it exceptionally challenging to determine who – or what – has access to a cloud resource.”
Hank Schless, senior manager, security solutions at Lookout, noted Oracle’s integration of TikTok could attract malicious actors. “An overhaul of the TikTok’s security and privacy practices could create a temporary state of vulnerability with the app,” he said, advising that in order to mitigate the risk of in-app compromise, developers should work with security teams to build security into the app to prevent exploitation at run time.
Organizations that have employees with TikTok on their smartphone should make sure employee mobile devices are properly secured from mobile phishing and app-based threats. As we saw with Twitter, phone spear phishing of company employees led to a very high-profile cyberattack in which the attacker was able to gain access to admin accounts with privileged access to back-end infrastructure.”