tik tok_Tik Tok发现严重的后门漏洞

tik tok

TikTok has broken all barriers of popularity, achieving 1.5 billion global users in just over two & a half years. The immense growth can be gauged from the fact that the app is available in 150 markets & used in 75 languages globally. Even more important is the niche that it serves — Generation Z which utilizes the app to create short video clips — mostly lip-synced of 3 to 15 seconds & short looping videos of 3 to 60 seconds.

牛逼 ikTok打破了流行的所有障碍，达到1.5十亿全球用户年短短的两年和半。 可以从150个市场上可用的应用程序以及全球75种语言的使用情况来衡量该应用程序的巨大增长。 更为重要的是它所服务的细分市场-Z世代，该世代利用该应用程序创建了短视频剪辑-大多数是3到15秒的口形同步和3到60秒的短循环视频。

Having achieved all these laurels, however, the application has been under fire from a lot of quarters for the potential risks identified within the application recently. A Cybersecurity firm Check Point pointed to multiple vulnerabilities that its researchers uncovered. Although the security firm made Tik Tok aware of these security flaws on November 20, 2019, which the latter claims to have addressed by December 15, 2019, as confirmed by Check Point — the damage is done.

完成了所有 这些桂冠，但是由于最近在应用程序中发现的潜在风险，该应用程序受到了很多方面的抨击。 一家网络安全公司Check Point指出了其研究人员发现的多个漏洞 。 尽管安全公司在2019年11月20日使Tik Tok意识到了这些安全漏洞，并经Che​​ck Point确认，后者声称已在2019年12月15日之前解决了这些安全漏洞，但损害确实存在。

The problems were brewing for Tik Tok, even before the report of these vulnerabilities surfaced. With its strong Chinese connection — the parent company ByteDance based in Beijing, the app was under intense scrutiny in the United States. Although the decision by American authorities to scrutinize Chinese technology like Tik Tok was considered more of a trade war by-product by some, that notion seems to be quelled with the recent revelations.

甚至在这些漏洞的报告尚未浮出水面之前，Tik Tok的问题就在酝酿之中。 凭借其与中国的紧密联系-总部位于北京的母公司ByteDance，该应用在美国受到严格审查。 尽管某些人认为美国当局决定审查Tik Tok等中国技术的决定更多地是贸易战的副产品，但这一观点似乎与最近的启示相矛盾。

“What we’re trying to make sure people understand is that the cyberspace is something that doesn’t just start and end on a sophisticated platform, but that if you’re in cyberspace, even for day to day activity, your data and privacy are at risk.”

“我们试图确保人们理解的是，网络空间不仅可以在复杂的平台上开始和结束，而且如果您在网络空间中，即使是日常活动，数据和隐私，处于危险之中。”

~ Oded Vanunu, Lead Researcher, Check Point

〜Check Point首席研究员Oded Vanunu

The vulnerabilities would have allowed hackers to send TickTok users malicious links via spoofed text messages, which once clicked would give control of their personal accounts to the attackers including uploading videos or accessing private videos. Another weakness would have allowed retrieval of personal information of the app users through the company’s website. Summarizing from the report, the hackers could do the following:

该漏洞将使黑客能够通过欺骗性文本消息向TickTok用户发送恶意链接，单击该链接将使攻击者可以控制其个人帐户，包括上传视频或访问私人视频。 另一个弱点是允许通过公司网站检索应用程序用户的个人信息。 从报告中总结，黑客可以执行以下操作：

• Manipulating content in Tik Tok user accounts
  在Tik Tok用户帐户中处理内容
• Delete videos
  删除影片
• Upload unauthorized videos
  上载未经授权的视频
• Changing private videos to public access
  将私人视频更改为公共访问
• Reveal personal information like private email addresses
  显示个人信息，例如私人电子邮件地址

TikTok has actively denied that it is under the influence of the Chinese government & censoring material that the government there doesn’t like. It also stated that regional managers around the Globe had significant autonomy over decision making & operations. And despite fixing the security flaws, American lawmakers’ concerns about the app’s content policies and data practices remained heightened.

TikTok积极否认这是在中国政府的影响下进行的，并且审查了那里的政府不喜欢的材料。 报告还指出，全球各地的区域经理在决策和运营方面拥有极大的自主权。 尽管修复了安全漏洞，但美国立法者对应用程序的内容政策和数据惯例的担忧仍在加剧。

In November, a U.S. security panel had launched a national security review of ByteDance, with the U.S army launching a security assessment of the app in the month asking its soldiers not to use TikTok videos while in uniform. This was followed up by the Department of Defense urging its employees to delete the app from their mobile devices — the very next day the Navy banned the app, with the Army following suit on December 30.

11月，美国安全小组启动了ByteDance的国家安全审查，美军于当月对该应用程序进行了安全评估，要求其士兵穿着制服时不要使用TikTok视频。 随后，美国国防部敦促其员工从移动设备中删除该应用程序-第二天，海军禁止了该应用程序 ， 美国陆军于12月30日提出了诉讼 。

Apps like TikTok, which are looking for aggressive growth pay less attention to testing security vulnerabilities & more on adding user-friendly features. This gives hackers ample opportunities to target services that have not been properly tested for real-world attacks. And with the majority of the app users being young and less mindful of security, it creates a major problem.

诸如TikTok之类的正在寻求快速增长的应用程序很少关注测试安全漏洞，而更多地关注添加用户友好功能。 这为黑客提供了充分的机会来针对未经正确测试的针对真实攻击的服务。 而且，由于大多数应用程序用户还很年轻，对安全性的关注度不高，因此这带来了一个主要问题。

Keep in mind that TikTok was fined $5.7 million earlier in February of 2019 on charges of illegally collecting personal information from minors and is also under investigation from British Information Commissioner’s Office to determine if it violated European data privacy laws.

请记住，TikTok于2019年2月早些时候被罚款570万美元，罪名是从未成年人中非法收集个人信息，并且正在接受英国信息专员办公室的调查，以确定其是否违反了欧洲数据隐私法。

及时了解重要内容- 加入我的邮件列表 (Stay informed with the content that matters — Join my mailing list)

翻译自: https://medium.com/technicity/serious-back-door-vulnerabilities-spotted-in-tik-tok-e717167a1b80

tik tok