
Amazon says email banning TikTok from employee phones was ‘sent in error’ - danso
https://twitter.com/scotthickle/status/1281631749533990914
======
danso
Note: since this tweet/submission, some outlets have written stories about
this:

[https://www.theverge.com/2020/7/10/21320196/amazon-
employees...](https://www.theverge.com/2020/7/10/21320196/amazon-employees-
tiktok-uninstall-email-trump-administration-pompeo-ban)

[https://www.nytimes.com/2020/07/10/technology/tiktok-
amazon-...](https://www.nytimes.com/2020/07/10/technology/tiktok-amazon-
security-risk.html)

~~~
ehsankia
I'm curious, are these

1\. Devices owned by Amazon, for work

2\. Personal devices with the amazon email added directly

3\. Personal devices with amazon email added on Work profile

Could not find this info in the articles or tweet.

~~~
nvr219
They're devices that are under Amazon's MDM. So if the device was enrolled
with their MDM then it applies.

~~~
ehsankia
Right, but on Android at least, you can either have the whole device be under
MDM (#2) or just a work profile (#3). In the latter, if your sysadmin decides
to wipe your device, it only wipes your Work profile and not your entire
phone, from my understanding. Is that not correct?

My assumption was that any apps installed on the personal partition were off
limit for the MDM.

~~~
bonzini
They might still require you to comply voluntarily (and be on your own if you
lie).

------
melling
The email sent to Amazon employees was a mistake.

[https://variety.com/2020/digital/news/amazon-bans-tiktok-
emp...](https://variety.com/2020/digital/news/amazon-bans-tiktok-employee-
security-risk-1234703472/)

~~~
GekkePrutser
Someone goes through all the trouble of typing that explicit email and it's a
mistake?

Sounds more like 'pulled after huge feedback'.

Though personally I'd agree with this decision. TikTok seems to be a
particularly bad apple:
[https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...](https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/)

~~~
che_shirecat
I keep seeing that Reddit thread linked (even the NYT is citing it now?) but
still cannot for the life of me figure out what substantially TikTok does that
is a concern compared to other popular apps? The guy has like 10 paragraphs of
stories but no actual evidence? What is TikTok doing that somehow is flying
under the app store guidelines of both Google and Apple but still a "national
security concern"? Why is the only actual "evidence" that can seemingly be
found, a comment from some rando on Reddit, not peer-reviewed, reproducible
work from legit cybersecurity researchers? This reeks of the same scent that
Bloomberg's "omg they're hackz0ring our chips!" story gave off.

~~~
DaiPlusPlus
For one, the clipboard snooping problem.

If you’re using a password-manager (like we’re supposed to!) and use it to
copy passwords (say, your Amazon employee internal credentials...) while you
have TikTok open, the TikTok app would see it and could upload it somewhere.

...and we only know about this issue now because iOS 14 adds clipboard
snooping notifications - and that was only a month ago! Think about the stuff
that the app could be doing that we _don’t_ yet know about.

There’s too many bloody-obvious security vulnerabilities that are decades old
but don’t get fixed until they either become a meme (like SQL Injection) or
the platform vendor does something about it (iOS 14 clipboard notifications) -
and don’t forget that the SIGINT community is sitting on millions of dollars
worth of zero-days that they won’t disclose to vendors unless they feel like
it - so I fully expect there to be more surprises in TikTok - and other apps -
in the years to come - probably indefinitely.

~~~
scarface74
_For one, the clipboard snooping problem. If you’re using a password-manager
(like we’re supposed to!) and use it to copy passwords (say, your Amazon
employee internal credentials...) while you have TikTok open, the TikTok app
would see it and could upload it somewhere._

Your password should never be in your clipboard at least with iOS. If you’re
using either the native password manager or a third party password manager,
the password manager is directly integrated with the keyboard and would auto
fill into your app.

[https://techcrunch.com/2018/06/05/password-autofill-in-
ios-1...](https://techcrunch.com/2018/06/05/password-autofill-in-ios-12-will-
work-with-third-party-password-managers/)

~~~
johnmaguire2013
Android does this too. On neither platform does it work 100% of the time,
especially in browsers. That's why almost all clipboard managers also have a
"copy to clipboard" feature from the autofill view.

~~~
scarface74
I’ve never had it not work in the browser.

~~~
simcop2387
It's usually a result of the webpage doing stupid stuff to try to explicitly
block password managers. There's a lot of banking and government websites that
believe this makes things more secure somehow.

------
xendo
For the context, as an Amazon employee I’m not required to access email from
my mobile. The only app that I need to have is virtual pager and it doesn’t
require allowing Amazon to administer my phone. Physical pagers are also an
option.

~~~
Multicomp
TLDR ooh Amazon has pagers, I wonder how?

Are there any pager networks left in the US? I've always been interested in
them out of historical curiosity because I was too young to use them when they
were actually a thing, but from what I understood, pagers are pretty much not
a thing anymore.

~~~
Nbox9
I wouldn’t expect a modern pager to operate on the same technology as older
pager. Pagers are a thing and they have there uses. I’ve heard of a physical
pager being used to symbolize who is “on call”, and a team of engineers will
pass the pager between themselves. I’ve seen restaurants pass out pagers to
people waiting for tables. I’ve heard talk about some medical/emergency
personal still using pagers.

I imagine pagers are probably used in highly secure communications (military,
statecraft), because the thing being paged doesn’t have to give away it’s
location, or even the fact that it received the message.

~~~
kitteh
Yes, modern pagers do operate on the same tech (pocsag/flex) for the last few
decades. And for the most part, are clear text. There are posts on HN about
this in the last year.

------
bigtones
Jeff Bezos, Amazon CEO, got his phone hacked and embarrassing text messages
stolen off it from a vulnerability in the video parsing library in WhatsApp in
a message sent to him by Saudi Crown Prince Mohammed bin Salman in 2018. So
Amazon as a company is now very sensitive to what applications are installed
on staff devices and how data on those devices can be extracted from
vulnerabilities in other installed apps. This may be an outcome of that.

[https://www.businessinsider.com/jeff-bezos-phone-hacked-
saud...](https://www.businessinsider.com/jeff-bezos-phone-hacked-saudi-crown-
prince-mbs-whatsapp-report-2020-1)

~~~
RavlaAlvar
Does anyone have any technical detail of that story. It is hard to imagine how
a bug in the image parse library can be utilise to steal text message.

~~~
bigtones
Sure, the blog post below covers it, and the vulnerability was probably
CVE-2019-11931. You can do an awful lot with a buffer overflow if you're
clever.

[https://www.okta.com/blog/2020/04/what-the-jeff-bezos-
whatsa...](https://www.okta.com/blog/2020/04/what-the-jeff-bezos-whatsapp-
hack-means-for-app-security/)

~~~
sevencolors
Does anyone have a "explain it like I'm 5 but took some CS classes back in
college"?

I know that if you craft your buffer overflow just right it will overwrite
other parts of memory with the new function.

But how do you know what parts will get overwritten?

Does that mean the new function can do almost anything?

~~~
jsf01
With a buffer overflow, you can write your own code into a chunk of memory
that ends up being run by the application. In this case, since WhatsApp
already had SMS read privileges as part of the signup auth flow, the attacker
also had those privileges.

The article has some detail about the remote code execution part of this
exploit.

“What this means is that there was a software flaw in the WhatsApp code for
handling MP4 media files. If an attacker triggered the flaw, the function in
question would crash in a way that could allow a potential attacker to gain
“RCE” or Remote Code Execution.

In layman's terms, this means the attacker could inject his own code into the
application and, by triggering the flaw, make the application to run with all
the privileges and access of the WhatsApp application itself.”

~~~
hoten
So the payload would be some corrupted video file sent to Bezo's phone. Would
the attack look something like:

1) Discover/buy/steal Bezo's Whatsapp number (how did they do that...)

2) Discover/buy/steal a 0-day bug in Whatsapp.

3) Write and compile a program that reads SMS from the OS and beacons it to
some server you control.

4) Create a corrupted video file that would trigger the video parsing bug, and
within that video file place the compiled program from the previous step in
the correct place so that it gets executed.

5) Send to Bezos.

~~~
pjc50
Yes, that seems like a reasonable summary. (3) is the kind of thing that
exploit developers will have "off the shelf"; (1) is probably available in a
dump of private information somewhere.

------
dvt
Looks like TikTok is slowly imploding.

I know there's plenty of political implications and a lot of discussion here
is on that (which is interesting in its own right), but I wonder if there's
opportunity here for a potential competitor.

~~~
maerF0x0
What does tiktok have that IG stories or SnapChat does not provide?

It appears to me that TikTok is just a perpetuation of exclusivity in Social
Networks (the same way kids exited FB when their parents signed up) ...

~~~
ralston3
The "For You" page.

Sure its just another algorithmic-based feed. But in my experience (and from
talking to a few ppl who enjoy TikTok), the For You page is a differentiator.
It's like a combination of what's trending, what's recent (time wise), and
what you've spent time interacting (watching, liking, commenting) with
previously.

Again all platforms do some form of this, but just saying TikTok does it in a
pretty addicting way.

Also combine that with the fact that TikTok videos are so incredibly short
that by the time they're over, you haven't even decided whether or not you
liked it (no doubt by design), which means you can endlessly consume content.

Also, I've heard that TikTok has better (read: better for comedy-style
content) tools to edit videos in the app

~~~
quuUuw
I seem to be the only person here who actually uses tiktok. What makes tiktok
different is the musical background (somehow people never mention this when
comparing it to vine), the fyp algorithm being incredibly good, and the
various communities built around certain niches. It's night and day compared
to other apps.

------
ziddoap
I'm more surprised Amazon (or any company, really) employees using an
employer-managed device would have TikTok on them to start with, to be honest.

As the follow-up tweet says: "Completely independent of the specifics in this
instance: get a second device before installing an employer's config profile
on your personal device"

~~~
ianmobbs
Does Amazon provide company phones or just install an MDM profile on your
personal phone? I have TikTok installed on my phone, and if my employer said I
had to remove it to access my work email, I'd ask them to buy me a work phone.
It seems a bit ridiculous that they'd want to control what apps you download
on your personal device without providing an alternative.

~~~
yumraj
No, they are controlling the environment under which their company emails can
be accessed.

If you, as an employee, don't want to remove TikTok I believe you will have
that right, it's just that you won't be able to access company emails from
that device.

Now, whether or not that leads to a company phone or you having to look for
another job, depends on the individual and how important that individual is to
the company.

~~~
chooseaname
If any company expects me to access my work email while mobile, they have to
provide a phone. I _never_ mix work and personal. I've also never had a
company say no to that.

~~~
lovich
Adding another anecdote, when I said I did not want to let work control my
mobile phone, my boss told me I could figure out whether I wanted to keep the
job or not

~~~
sillysaurusx
Switch jobs! Environments like that will grind down your soul. Or at least
they did for mine.

Perhaps I'm projecting a little, but: please don't feel like you're stuck
there. It's an illusion more often than not.

~~~
scarface74
Switch from a well paying job instead of just getting another cheap phone?

Of all the hills I am willing to die on, getting another phone isn’t one.
Especially if they provide a credit for your cell phone.

[https://www.teamblind.com/post/Amazon-Cell-Phone-
Reimburseme...](https://www.teamblind.com/post/Amazon-Cell-Phone-
Reimbursement-OBDqT5Dy)

------
a13n
I feel like this TikTok backlash is so overblown. I don't think TikTok is
spying on US consumers/business, and I don't think TikTok is sharing any US
private data with CCP... I believe this because there's no evidence to the
contrary, and out of principle you shouldn't assume malintent.

In fact, TikTok explicitly left Hong Kong because if they didn't they would
have to share private data with CCP to comply with new laws... they're
intentionally leaving MAU on the table to keep their users' data safe. [1]

If you look around, US social companies are making the same mistake with your
clipboard data that TikTok did. LinkedIn just got caught reading your
clipboard data [2], but we aren't talking about banning them... I would assume
in all of these cases, it's just an engineer who accidentally shipped a bug.
There are legitimate use cases to read the clipboard (eg. more seamless 2fa).

It feels like the negative reaction to TikTok is so politicized and just comes
from a "China bad" attitude.

[1]: [https://www.cnn.com/2020/07/07/tech/tiktok-leaving-hong-
kong...](https://www.cnn.com/2020/07/07/tech/tiktok-leaving-hong-kong-intl-
hnk/index.html)

[2]:
[https://news.ycombinator.com/item?id=23716451](https://news.ycombinator.com/item?id=23716451)

~~~
vesche
Some light reading:

[https://rufposten.de/blog/2019/12/05/privacy-analysis-of-
tik...](https://rufposten.de/blog/2019/12/05/privacy-analysis-of-tiktoks-app-
and-website/)

[https://docs.google.com/document/d/1QEyWqAiTE_5xzCs_X3tjDCQx...](https://docs.google.com/document/d/1QEyWqAiTE_5xzCs_X3tjDCQxMvWWtntdJnhBOjtP9Qg/edit)

[https://www.reddit.com/r/videos/comments/fxgi06/not_new_news...](https://www.reddit.com/r/videos/comments/fxgi06/not_new_news_but_tbh_if_you_have_tiktiok_just_get/fmuko1m/?context=1)

[https://www.washingtonpost.com/world/tiktoks-owner-is-
helpin...](https://www.washingtonpost.com/world/tiktoks-owner-is-helping-
chinas-campaign-of-repression-in-xinjiang-report-
finds/2019/11/28/98e8d9e4-119f-11ea-bf62-eadd5d11f559_story.html)

[https://www.thetimes.co.uk/article/video-app-linked-to-
china...](https://www.thetimes.co.uk/article/video-app-linked-to-china-s-
ruling-party-8c7j3ljlj)

[https://www.wired.com/story/tiktok-is-the-latest-window-
into...](https://www.wired.com/story/tiktok-is-the-latest-window-into-chinas-
police-state/)

[https://thehill.com/blogs/congress-
blog/politics/478015-exer...](https://thehill.com/blogs/congress-
blog/politics/478015-exercise-caution-when-using-chinese-apps-like-tiktok)

[https://www.forbes.com/sites/zakdoffman/2020/06/26/warning-a...](https://www.forbes.com/sites/zakdoffman/2020/06/26/warning-
apple-suddenly-catches-tiktok-secretly-spying-on-millions-of-iphone-
users/#484ce3434ef0)

~~~
a13n
I just read/skimmed each of these links.

Is this any less data than is collected by Facebook or Google in their
apps/websites?

This seems like mostly an issue with the fact that Android lets apps get at
this much data - something that should be fixed at the OS-level. There's very
little mention of similar practices/vulnerabilities on iOS.

------
orblivion
Sorry if I missed something obvious, but if we're at the point where the U.S.
government is even contemplating banning TikTok, how come it's on Google and
Apple stores at this point? They seem to be at least somewhat vigilant about
spyware etc.

~~~
mrlala
From what I read, I think the issue is people keep claiming it does all this
various "spyware" stuff, when it sounds like it's doing _nothing_ that any
other app could do, given the (what appear to be) lax permissions of
android/ios.

If people are so worried about what tiktok can be gathering outside of the
app, that is a problem for apple & google.

For this, I think it's 100% overblown what people think tiktok is doing. It
just doesn't make sense. If it was really some kind of massive spyware, I
agree apple/google would be all over this.. but they aren't.

This comes down to a lack of trust in China obviously, and I don't think
there's anything really more concrete than that.

~~~
ngold
It was the whole read write access that was a massive violation of apple and
googles store policy.

It can upload and download whatever to your phone.

No other app is even close to allowed that.

~~~
nxc18
Can you please point to any evidence or source? I've never heard of this
happening (beyond what every other app can do in terms of downloading and
uploading data) and the wording isn't clear as to what exactly you mean.

------
adreamingsoul
And that's why I never setup email on my personal mobile device when I worked
for AWS.

------
schnable
What's the security/privacy vulnerability that would allow TikTok access to
sensitive info from email?

~~~
closetnerd
Likely that they have the potential to have as much information about us as
Facebook does - but China?

If there was a real security/privacy issue - I'd be more upset with Apple than
China (as an iPhone user). Apple needs to watch my back.

~~~
gandutraveler
On top of background device data and analytics there is lot of sensetive user
data shared on the app for which can be used to target certain audience.
Social engineering this data and joining it with other apps(which can have
security holes) is enough to hack the device and steal additional info. All
this also applies to American companies like FB, Google etc however american
companies don't have a parent like CCP who has access to all the data.

------
btgeekboy
If I had to judge between whether I wanted TikTok or corporate email on my
phone, it wouldn't be just about the email. I could live without that. What I
really liked, especially back when we actually went into offices, was that I
had my calendar available without opening up my laptop, and that it showed the
next place I needed to be right on my wrist.

------
markovbot
I assume they won't be doing that to the main-stream spyware pushed by US
companies.

~~~
manquer
The threat model for AMZ is state sponsored corporate espionage, not
government intruding on your and my privacy. The former cost them a ton of
money unlike the later. Given their inability to enforce IP or many other laws
in china even if there was similar espionage happening in the U.S. the legal
system is strong enough for Amazon not to worry of losing money.

~~~
mike00632
But if Amazon found evidence of code that allows for TikTok to engage in
corporate espionage, why would they keep it a secret and just send out an
email (and later retract) that forbids employees from using the app?

It seems way more likely that a non-tech manager at Amazon read the news and
wrote the email.

------
m0nsoon
TikTok and Chinese apps in general are having a tough day. While nothing
malicious has been conclusively shown—save for iOS pasteboard spying which it
seems EVERY app is doing—I suspect that this is a geo-strategic move by the US
and our Allies to dominate and flex economic power over China.

------
somethoughts
Bytedance should just take the cash and spin off TikTok as a separate entity
run by the new CEO Kevin Mayer. Perhaps selling the spin-off to Disney or
Snapchat or Private Equity while its still worth something.

------
atarian
Makes a lot of sense considering AWS deals with sensitive government data.

------
ddevault
Is TikTok officially the scapegoat now? Sure it's bad, but it seems like an
awful lot of attention is being brought to it compared to many of the other
companies (and governments!) that are doing... the exact same shit, and often
more so.

------
remarkEon
Does anyone have a link to a legit security analysis on this app? I'm trying
to weed through all details, and I want to get past any FUD.

------
tzs
How does Amazon email access work from home desktops? I assume it is not just
simple POP/IMAP/SMTP authenticated by username/password, because if it was you
could use that from mobile, too.

------
pinkfoot
I cannot think of a single action that will promote the adoption of Hauwei's
app store more than banning TikTok.

------
treebornfrog
Byte.co waiting for adoption on the sidelines.

~~~
s1mon
There are a bunch of TikTok wannabes (Byte, Dubsmash, or the various attempts
by Facebook), none that I've seen are as fluid or addictive. TikTok's ability
to navigate around with a bunch of responsive swipe gestures and keep showing
things that might be interesting is miles ahead of the competition. The
fluidity is very dependent on a good internet connection.

------
nitrobeast
Standard corp policy? Google disallows dropbox on devices that can access
Google internal data as well.

------
Sindrome
Company doesn't want employees to install spyware. Is Fortnite next?

------
la6471
Time to buy SNAP stocks :)

------
echelon
What's the probability that the Trump admin/DOJ places a nationwide ban on
TikTok and other Chinese apps? Could it actually be enforced, or will the
First Amendment override any such ban?

What would the ramifications be if a ban were enacted? Retaliation from China
against domestic companies?

Will this be an inflection point in the escalation of the trade war?

~~~
bigpumpkin
25%. Yes. Yes.

Millions of angry teenagers. China retaliates against by barring a few
American SAAS companies/ cloud providers on national security grounds.

It's a continuation of trends that were well underway since the Huawei
entities list.

------
apta
Good start. Hopefully the rest of the corporations and world governments
follow.

------
metaphorical
In 2018, Bytedance CEO released a public statement after an incident with the
CCP censor. In that statement, he promised that Bytedance apps would
strengthen "the work of Party construction" and "socialist core values" etc.

[https://chinamediaproject.org/2018/04/11/tech-shame-in-
the-n...](https://chinamediaproject.org/2018/04/11/tech-shame-in-the-new-era/)

I don't know how Bytedance as a company can serve CCP interests AND claim to
be independent of CCP interference _at the same time_.

TikTok is a good product, but it may not be a safe product.

More on the dystopian practices of Douyin (TikTok in China):
[https://twitter.com/Izzy_Niu/status/1280906443273768960](https://twitter.com/Izzy_Niu/status/1280906443273768960)
[https://twitter.com/JoshuaDummer/status/1280877750245453828](https://twitter.com/JoshuaDummer/status/1280877750245453828)

------
blondie9x
Snapchat are you listening? Make a page for your users and allow them to
persist the videos and images. You will have implemented a complete platform
for those who want images to disappear and for those who want them to persist.
That makes TikTok redundant and unnecessary.

------
TedDoesntTalk
This is an example why I don’t use Twitter regularly.

Someone mentions the copy/paste sec vuln in TikTok and “Onur Olmez” writes:

> LinkedIn app apparently also has this issue [...] Uncalled for to ban apps
> for this one reason.

I mean, wtf? Everybody on Twitter has an opinion about everything, even things
they know nothing about.

~~~
jml7c5
Are they wrong?

~~~
TedDoesntTalk
In my opinion, yes. This is an enormous security vulnerability. TikTok can
exfiltrate any data that the user types into any application: passwords, any
kind of sensitive data.

~~~
jml7c5
I think the objection is to the double-standard, where two apps commit the
same infraction but one is assumed to be nefarious.

