At a glance.
- TikTok’s in-app browser includes a keylogger…but the app says it’s only for debugging.
- Data breach adds insult to injury for wounded workers.
- US medical data breaches continue to rise.
TikTok’s in-app browser includes a keylogger…but the app says it’s only for debugging.
A new research report released by Felix Krause, a software researcher based in Vienna, shows that TikTok monitors user activity on outside websites whenever a user visits a site through a link on the app. The popular video-sharing app could not only monitor the user’s keystrokes on external sites, but also could collect the user's credit card details or password. This tracking is made possible by the fact that whenever a user clicks on a link while using TikTok, the app doesn’t open the new site in a separate browser like Safari, but instead launches the site in a TikTok-made in-app browser that injects lines of JavaScript, creating commands that allow TikTok to track user activity on the website. “This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly,” Krause, founder of app-testing service Fastlane, told Forbes. Though TikTok has admitted that the tracking features exist in the code as part of a third-party software development kit, the company denies that they use them. TikTok spokesperson Maureen Shanahan stated, "Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.”
Data breach adds insult to injury for wounded workers.
The Workforce Safety & Insurance (WSI) agency of the US state of North Dakota has disclosed it experienced a cyberattack in June and that the data of nearly two hundred injured workers were exposed. The Bismarck Tribune reports that the intruder gained access to the data by infiltrating a WSI employee's email account, and the compromised machine has been secured and disconnected from the network. Analysis of the impacted machine revealed evidence of a “sophisticated phishing attack” carried out through a malicious email attachment, but fortunately the incident appears isolated to the one account. WSI has notified the affected individuals.
US medical data breaches continue to rise.
Becker’s Hospital Review notes that over eighty US medical providers were impacted by cyberattacks in August (so far) and lists eleven of the incidents reported by the Review this month. Among the reported attacks are a data breach at OneTouchPoint, a printing and mailing vendor, that impacted nearly forty healthcare organizations across the country (including household names Kaiser Permanente and Blue Cross Blue Shield), and an attack allegedly carried out by the Russian threat group the Karakurt gang affecting several health facilities in the state of Texas.
Health IT Security reports that Lamoille Health Partners, a medical facility located in the US state of Vermont, suffered a ransomware attack that compromised the data of 59,381 individuals. After detecting a network disruption, Lamoille discovered that an unauthorized third party potentially accessed and acquired patient data including names, addresses, Social Security numbers, and health insurance information. Lamoille was able to restore its systems from backups and stated that they “have no reason to believe that any personal information has been misused for the purpose of committing fraud or identity theft.”
Meanwhile in the state of Florida, Lee County Emergency Medical Services (EMS) has begun notifying an undisclosed number of individuals of a third-party data breach connected to
Intermedix Corporation, Lee County’s ambulance billing services vendor. Although Lee County EMS cut ties with Intermedix in 2014, the Lehigh Acres Citizen explains that Intermedix’s law firm Smith, Gambrell & Russell (SGR) was still in possession of Lee County data when the breach occurred. Lee County is working with Intermedix and SGR to notify individuals who may have been impacted.