Twitter and TikTok’s data privacy controversies show the dangers of third-party apps

The month of August was devastating for consumer and enterprise confidence in big tech and social media giants. Researchers discovered that TikTok uses keystroke tracking [subscription required] to track every character a user types in its in-app browser. Though the company claimed it uses this for troubleshooting. Separately, a whistleblower, Peiter “Mudge” Zatko, Twitter’s former head of security, has alleged that the organization misled its own board, as well as government regulators, about security vulnerabilities.

The supposed controversial data handling practices of TikTok and Twitter shed light on how consumers and enterprises cannot afford to implicitly trust social media companies to collect data responsibly and implement adequate security controls to protect it. 

Going forward, enterprises need to be more proactive about controlling the use of social media apps on work devices, and not fall into the trap of trusting the security measures of third parties, which could expose sensitive information. 

The data privacy exposure risks created by TikTok

Out of all the revelations emerging about big tech’s management of users’ personal data, TikTok’s suspected use of keystroke tracking or keylogging is perhaps the most shocking. 

This could mean that “anyone using their phone with the TikTok app on it could be exposing username and password data without even realizing it,” said Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct. 

When considering that TikTok has more than one billion users, and 55% of employees are using personal smartphones or laptops for work at least some of the time, there is a significant risk to both enterprise and personal data. 

“When looking at a breakdown of keylogging, it’s extremely easy to find the user and the password. If this is all being offloaded to external servers (which there is no clear understanding who has access to them), who knows that level of access might be readily available within certain companies,” Fulmer said.

For security teams, this means that any employees who have entered usernames and passwords on personal devices with the TikTok app could be putting their online accounts at increased risk of credential theft if a threat actor gains access via one of these external servers. 

What about Twitter’s data protection? 

Over the years, Twitter has received criticism over its ineffective security policies, from failing to prevent President Obama’s account from spreading a Bitcoin scam to a data breach discovered in July 2022 that exposed the data of 5.4 billion users. 

While no company can prevent data breaches entirely, in this latest breach Twitter failed to fix a vulnerability that it had been aware of since January. 

Given the volume of personally identifiable information (PII) Twitter collects, and the fact that users must opt-out to ensure their information is not shared with third parties, many risks exist. After all, while the organization can use this information to personalize experiences for users, these expansive data collection policies can backfire dramatically if adequate security controls aren’t in place. 

Of course, Twitter isn’t the only social media provider that’s had problems maintaining users’ privacy. Less than two weeks ago, Meta reached a $37.5 million settlement for tracking users’ movements even though they’d turned off location services on their phones, using their IP addresses to determine where they are. 

The writing on the wall is that organizations and users can’t afford to trust companies like Twitter and Meta to put their data protection first. 

“The challenge is not a careless or heartless senior management; they are up against conflicting objectives,” said Jeffrey Breen, chief product officer at Protegrity. “Businesses must use sensitive data to drive growth, but they also are facing an increasingly complex web of legislation to protect that same source of growth. They either lock it up or use it and run the risk that it may be breached.”

How CISOs can mitigate the risks of third-party apps 

Ultimately, any third-party apps used in the workplace increase risk. 

Social media apps are in a particularly high-risk category because it is difficult to quantify precisely what data social media apps are collecting on users, how this data is processed, and whether the provider implements adequate security controls to prevent it from falling into the wrong hands. 

CISOs have a critical role to play in controlling the risks created by social media apps, not only defining the parameters of bring-your-own-device (BYOD) policies and restricting the use of personal devices, but implementing controls to determine which apps are permitted on enterprise devices. 

“The devices utilized by employees need to be much more closely monitored and locked down to prohibit [the] installation of third-party applications which can contain unknown code and processes,” said Brendan Egan, digital marketer, technology and security expert and CEO of Simple SEO Group.

According to Egan, instead of relying on Google, Apple or Microsoft to vet the security of apps listed in their app stores, CISOs will need to take a more proactive role to maintain visibility over which third-party apps are installed on private and enterprise devices. 

After all, with data privacy regulations continuously expanding, organizations can’t afford to trust the data-handling practices of third parties, and must act as if every application is collecting data it shouldn’t be, and even handling it poorly. 

For users, Lorri Janssen-Anessi, director of external cyber assessments at Blue Voyant, discourages the linking of corporate accounts or social media with these applications and encourages use of a VPN to hide geolocation data. She added that carefully reading the end-user license agreement before downloading any new apps is also a best practice to follow.