Category Archives: Thoughts and Rants

Random thoughts, and probably a few rants.

Exploring the wide open world of TikTok.

Posted on by

There’s not a lot of talk about TikTok between peers in the infosec community. The TikTok platform is somewhat of a joke to many in the security world due to many of it’s factors. The truth is that it’s gaining popularity and it may be here to stay, so from a security and privacy perspective we need to acknowledge it and give it the attention it deserves.

If your reading this blog, then it’s unlikely that you’ve never heard of TikTok. It made world news when Former President Donald Trump ordered China’s ByteDance (TikTok’s Parent company) to divest ownership of the application, and threatened to shut down its U.S. operations through executive action. As with most threats Trump made during those short nightmarish 4 years, there were likely hidden reasons that benefited himself or his close friends. Regardless of Trump’s rationale, TikTok was owned by a Chinese business, which is required by law to send it’s data to the Chinese government. Security researchers checked and saw “unusually large” amounts of data that TikTok was collecting on it’s users.

After some legal back and forth, and bids made by Oracle and Microsoft, Oracle ended up purchasing 12% of TikTok, because ByteDance was unwilling to give their algorithm to Microsoft as part of the deal. So a small chunk of TikTok stock belongs to US based company Oracle, and that was enough to make the politicians happy. Note that Oracle also owns small portions in Canada in other countries, but I couldn’t find the exact details on percentages or if the 12% is everything that isn’t China.

Read more at CNBC TikTok Deal Splits Control Between US and Chinese Owners

TikTok itself has grown at blazing speeds, and is catching up fast to the big boys of social media Facebook, Youtube, and Twitter. This was made possible by the isolation brought on by the Covid19 Pandemic ( due to our basic need for society), and the free publicity brought to you by our former US President.
PS. My favorite word for 2021 is “Former”

So what is TikTok exactly and how is it different?

If you remember Vine from the mid 2010s, then TikTok is a version of Vine with a few added features pulled from Twitch and other social media platforms. The TikTok app even works exactly like the Vine app with it’s quick 15 to 60 second videos, delivered to you in an endless scroll. The differences (from what I can tell) include the editing interface and the live streams. Live is a big part of TikTok, with the usual scrolling chat that allow viewers to interact with the creator and send gifts, similar to Twitch. Many popular creators have multiple moderators to assist with managing the live chats, and the chat has a filter to allow certain words not to be said. For example, creators who are showing how to make health foods or drinks might filter “poop” to prevent viewers from saying “that looks like poop.”

TikTok’s definition will depend greatly on you ask. The security world and those that reverse engineer the site say “TikTok is a data collection service that is thinly veiled as a social media networkGuy who Reverse Engineered TikTok on boredpanda.com. But if you ask the standard to heavy users, it’s a God-send. Social Media fundamentally provides social interaction to people you would normally not have social contact with. For people who are too busy for events in their community, who work from home, or just don’t feel like they fit in where they are, social media can be a lifesaver. It’s our need to belong to something and to have relationships. It’s probably something that I personally need to do more of. That’s why I believe it’s important to look at these platforms very closely and protect the users that make up the network.

What I’ve learned from TikTok:

If you are male, TikTok’s algorithm with send you mostly female videos. If you are female, you will be served mostly male videos. They’re algorithm also puts lower priority on videos from LGBTQ and creators with obesity among other things. Very little control is given on the web interface (as opposed to the mobile app). For instance, to change certain settings in your profile you must use the mobile app because no option is available when using a web browser. After all, mobile apps can pull more data off your device than a website, and can do so with more secrecy.

When I first joined TikTok, I immediately believed that it was almost entirely female creators, because female creators made up 80% of what TikTok served me. This would be preferable for someone in their 20s and not married, but I was suspicious. I learned that the results were the opposite when using a fake female account. My feed and search results as a female user were noticeably different, showing way more male created videos.

To test the male vs female claim, I did a very simple search using my male account. A search that is normally guaranteed to have high male to female ratio.. I searched “infosec”. The first few results were mostly female with a few thumbnails that didn’t show anyone. As I scrolled i slowly started to see more videos from male creators. To be fair, there isn’t a lot of infosec people on TikTok. Most of my results were copies of previous results.

Two guys in a row in my search for “inforsec”, and both have their face covered in the thumbnail..

These results are not expected on any platform. Hopefully there will one day be equal gender ratio in the information security world, but it’s widely recognized that there are more men in infosec.
Shout out to all the women in the security world! We need more of you and what your able to bring to the table.

The TikTok Culture

Those of us older millennials remember the internet in the late 90s early 2000s. In those days, you didn’t use your real name, you never posted a picture of yourself publicly, and never gave personal information or credit card numbers. It was a time when prime-time TV included catching online child predators (which we need now more than ever) and movies like “The Net”. But, the internet was unknown and scary back then. We had chats and tight communities and friendships without ever needing to know each other’s real name or appearance. You always wondered, and in time, people would share that info, but the magic of it was your friends like you for you, and not what you looked like, where you came from or who your friends and family were. a/s/l? Most people asked but few responses were honest.

On TikTok, this kind of thinking is taboo. If you set up an account pretending to be something you aren’t, people find that suspicious. It mirrors a larger paradigm shift in online culture that started with Facebook (which I wont get into here). On TikTok, you are expected to be everything you are in real life and more. It attempts to be more personal than YouTube, while it’s content remains very public. This is partly due to the platform preferring mobile phones over traditional PCs, but also because of the short video time. Your videos can be 15 seconds, or 60 seconds.

TikTok turned it’s live feature into an achievement. How do you reach this achievement? Popularity. 1000 followers are required to achieve the “Live” option.

DigitalTrends.com writes:

“A TikTok user must have at least 1,000 followers to even see the live stream option on the platform, for example. Even after you hit 1,000 followers, it could still take several days before the live stream button appears.”

The Monetary benefits for creators:

Why is it important to go live? Two reasons, live streams can be longer than 60 seconds, and followers can send the streamer “Gifts” only on a live stream. Here’s how gifts work:
1. A User must purchase “Coins”. Coins are the only monetary purchase that can be made.
2. Once a user has Coins, they can then click the “Gift” icon in a live video.
3. This gift icon is then sent to the creator’s account, and are converted into “Diamonds”
4. Diamonds can then be cashed in, but the creator receives only 50% or less of the original coin’s value. TikTok keeps the other 50-60%

This information and much more can be found on this site: Alpha.com: How Much are TikTok Gift Points Worth?

Coins, Gifts, and Diamonds can be complicated by design, and depend on the nation’s currency and it’s exchange rates. Best estimates put Diamonds at around $0.05 USD. Coins purchased in bulk are around $0.015 or 1.5 cents, but Gifts start out at 5 Coins, and so multiple gifts are needed to attain diamonds. Like I said, complicated.

In my opinion, it would be very hard to make a living on TikTok without having a secondary source of income. That may range from music sales, to alternative advertising within videos, or using TikTok as a secondary platform to YouTube. However, there are creators that claim they can make a few thousand dollars each live stream, and a few are able to make a living on those earnings.

Friends versus Followers

This topic is honestly a little complicated too. To add a friend, you must follow that person, and they must follow you back. If you have content that only friend’s can see, then this agreement must take place. One can not see friends only content by being a follower alone.

With that said, the downside to this is that it will take longer to acquire enough friends to do a live video, and even longer to gain any gifts (or make profit)

The Privacy issues of TikTok on it’s surface

With what we already know about TikTok’s data collection, there’s no way I would use it without a VPN, and I wouldn’t recommend using it on a mobile device that wasn’t a burner phone or hasn’t been hardened before hand. Let’s put it this way, if you have information on your phone that you wouldn’t want other people to have, you shouldn’t use this app. Right off the bat, the app requests access to your contact list, other social media accounts, phone number, camera, microphone, local (home) network. As if that wasn’t bad enough, well.. don’t take my word for it.. Here’s some more from boredpanda.com from someone with 15 years experience and reverse engineered the app:



To be fair, this post was from almost a year ago. Lets add a few what I’ve seen recently. And I haven’t had a chance at attempting to reverse engineer the app, but maybe soon.

Uploading videos are public be default. You must specifically request for videos to be “friends only” or only viewable to you.

The gifts and monetary exchange is sketchy at best. There is little information provided by TikTok on actual numbers. The money that TikTok itself makes from these are not enough to support the platform, so it goes without saying that most of ByteDance’s profits come from selling some of that user data, and we can assume some nation state funding is involved.

The platform and it’s culture put a lot of emphasis on the individual and personal information. The vast majority of TikTok’s videos are self videos, and what people do in those videos will remain online indefinitely, possibly by one of the several archiving projects that collect TikTok videos and publish them publicly. See this reddit feed if you would like to look at the discussion on TikTok video archiving without the need of a TikTok account: https://www.reddit.com/r/Archiveteam/comments/hr3zsm/lets_archive_tiktok/
This is not a new concept, even Angelfire and Geocities pages have been resurrected recently, bringing back websites created up to 30 years ago. And there are bigger projects, such as the The WayBack Machine .
Point being, What you do online will always be there, in one form or another. It can be viewed by potential employers, schools, and future friend’s and in-laws. I predict there will be a lot of social media accounts pulled out of the void in future Presidential elections


https://tik.fail/browse Another TikTok video Archive that appears to be on hold due to API changes.
I will add more archive links as they become available.

To the TikTok community:

I can’t stress this enough, I’m not targeting TikTok users in this post. I know many and they are great people. A lot of great friendships have been made on this platform, and it’s giving potential stars a chance to shine. I love the people that make up TikTok.. Most of them anyways.. There are some blatant child predators I’ve come across and I have no respect for that kind of scum. Maybe that’s a blog post for another day, because I would love nothing more than to expose people who manipulate and hurt children. So stay tuned…
…But to the average users on TikTok, If you have to be there, please consider doing it this way:
Use a web browser on a PC in privacy/privacy mode, behind a VPN. Brave is a great privacy enriched browser built on chromium, that has built in adblockers and other features. It wouldn’t hurt to do it within a clean Virtual Machine, the same safeguards we use to reverse engineer malware, because that’s basically what your using.

If you must use it on a mobile phone, purchase a prepaid smart phone from Walmart, and add a VPN like Private Internet Access or PIA, but do not add your email address or any other accounts or apps to the phone. Set your normal phone up as a WiFi access point and connect the WiFi from the TikTok phone to your normal phone with the VPN enabled. This will allow you to use the same amount of data, but in a safe way.

I would have suggested using the Tor Browser, which does all that for you. However, when I tried to browse TikTok in Tor the screen became distorted and made it impossible to click anything. This occurred on the two highest security profile types. This is due partly to the restriction on scripts being run within TOR, but there also seems to be some safeguards TikTok has to prevent a hardened browser like Tor from working correctly.

More things to consider: The US military does not allow TikTok on it’s networks, nor does many Federal agencies, large enterprises, and defense networks. Supposedly, the parent company ByteDance are also not allowed to use TikTok on they’re own network, although this isn’t verified and I assume there are some details left out of that claim.

If this blog post doesn’t scare you, then check back. I’m going to be making a blog post that will explain to people why privacy matters, and why businesses want you to believe privacy is dead.

If you are the victim of an internet stalker, then visit this link, or call the number below:
National Center for Victims of Crime
1-855-4-VICTIM (1-855-484-2846)

For information on how to report Child Sex Trafficking, Pornography, Sexual Abuse or kidnapping, visit this page on the Department of Justice’s website:
https://www.justice.gov/criminal-ceos/report-violations

Or call your local law enforcement.