The data privacy controversies of Twitter and TikTok show the dangers of third-party apps

The month of August was devastating for consumer and business confidence in major tech and social media giants. Researchers found that TikTok uses follow keystroke [subscription required] to track every character a user types in their in-app browser. Although the company claimed that it uses this for troubleshooting. Separately, a whistleblowerPeiter “Mudge” Zatko, Twitter’s former head of security, has alleged that the organization misled its own board, as well as government regulators, about security vulnerabilities.

The allegedly controversial data processing practices of TikTok and Twitter shed light on how consumers and businesses cannot afford to implicitly trust social media companies to collect data responsibly and implement adequate security controls to protect it.

Going forward, companies should be more proactive in monitoring social media app usage on work devices, and not fall into the trap of relying on third-party security measures that can expose sensitive information.

The risks of data privacy exposure created by TikTok

Of all the revelations that have come out about the management of users’ personal data by major techies, TikTok’s suspected use of keystrokes or keylogging is perhaps the most shocking.

This could mean that “anyone using their phone with the TikTok app on it could reveal username and password information without even realizing it,” said Matthew Fulmer, manager of cyber intelligence engineering at deep instinct.

When you consider that TikTok has more than one billion users, and 55% of employees use personal smartphones or laptops for work, at least some of the time, there is significant risk to both business and personal data.

“If you look at an overview of keylogging, it’s extremely easy to find the user and password. If all of this is handed over to remote servers (of which there is no clear understanding of who has access to them), who knows, that level of access may be readily available within certain companies,” Fulmer said.

For security teams, this means that employees who have entered usernames and passwords on personal devices using the TikTok app could put their online accounts at increased risk of credential theft if a threat actor gains access through one of these remote servers.

What about Twitter’s data protection?

Over the years, Twitter has come under criticism for its ineffective security policies, as it failed to prevent President Obama’s account from spreading. Bitcoin scam to a data leak discovered in July 2022 that exposed the data of 5.4 billion users.

While no company can completely prevent data breaches, in this latest breach, Twitter failed to fix a vulnerability that it had been aware of since January.

Considering the amount of Personally Identifiable Information (PII) that Twitter collects, and the fact that users are required to opt out to ensure their information is not shared with third parties, there are many risks. After all, while the organization can use this information to personalize experiences for users, these extensive data collection policies can backfire dramatically if adequate security controls are not in place.

Of course, Twitter isn’t the only social media provider that has had problems maintaining user privacy. Less than two weeks ago, meta reached a $37.5 million settlement for tracking users’ movements, even though they disabled location services on their phones and used their IP addresses to determine where they are.

The writing on the wall is that organizations and users cannot afford to trust companies like Twitter and Meta to put their data protection first.

“The challenge is not careless or callous senior management; they face conflicting objectives,” said Jeffrey Breen, chief product officer at protection. “Companies must use sensitive data to drive growth, but they also face an increasingly complex web of legislation to protect that same source of growth. They lock it up or use it and run the risk of it being violated.”

How CISOs Can Mitigate the Risks of Third-Party Apps

Ultimately, all third-party apps used in the workplace increase the risk.

Social media apps fall into a particularly risky category because it’s difficult to quantify exactly what data social media apps collect about users, how that data is processed, and whether the provider implements adequate security controls to prevent it from falling into the wrong hands.

CISOs play a critical role in managing the risks posed by social media apps, not only by defining the parameters of bring-your-own-device (BYOD) policies and limiting the use of personal devices, but also by implementing controls to determine which apps are allowed on corporate devices.

“The devices used by employees should be much more closely monitored and locked to ban [the] installation of third-party applications that may contain unknown code and processes,” said Brendan Egan, digital marketer, technology and security expert and CEO of Simple SEO Group.

According to Egan, instead of relying on Google, Apple or Microsoft to protect apps listed in their app stores, CISOs should take a more proactive role in seeing which third-party apps are installed on private and corporate devices. . .

As data privacy regulations are constantly increasing, organizations cannot afford to trust the data processing practices of third parties and must act as if each application is collecting data that it should not, and even handle poorly.

For users, Lorri Janssen-Anessi, director of external cyber assessments at Blue Voyager, discourages linking company accounts or social media to these applications and encourages the use of a VPN to hide geolocation data. She added that it is also a best practice to read the end-user license agreement carefully before downloading any new apps.