Warning: spear-phishing campaign targeting IS MU login credentials
The Cybersecurity Team of Masaryk University warns of an ongoing spear-phishing campaign aimed at stealing login credentials for the Masaryk University Information System.
TikTok application - installation and use warning for users of IT at MU
We strongly advise all users of IT at MU not to use the TikTok mobile application. We are doing so based on the warning issued on Wednesday, March 8, by the National Cyber and Information Security Agency. This warning affects the Information System of MU (IS MU) and the Economic and Administrative Information System of MU (INET).
What's going on?
The social platform TikTok, developed and operated by the Chinese company ByteDance, is one of the most popular applications in its category worldwide - it has over a billion downloads only in the Google Play Store. It is not different in the Czech Republic - data shows that there are currently around two million active users in the Czech Republic. ByteDance falls under the laws of the People's Republic of China, which raises concerns that China's interest may be placed above the interests of TikTok users.
What is the problem?
The risks associated with using TikTok are significantly higher than with most similarly popular apps. The reason is that the application collects sensitive data, not only from browsing and search history. It also gathers information from keyboard records and biometric identifiers (voice and face prints), which other technologies could use without the user's knowledge.
In addition, the Chinese legal environment must be taken into account. Chinese companies, including TikTok, must cooperate with the state and provide it with all the information they collect (without ensuring sufficient personal data protection).
With this in mind, we strongly warn users of IT at MU who decided to use TikTok that the operator of the application may:
- enforce the use of a native browser, which allows monitoring of almost all user activity (e.g., pressing keys on the screen);
- collect information about the device, including connection to the Wi-Fi network, serial number of the device and SIM card, phone number, a list of all user accounts used on the device, and complete access to the clipboard;
- map the device when the application detects information about other running and installed applications;
- regularly check the location of the device;
- forward private communications to the servers of the Chinese company ByteDance;
- have access to contacts on the device.
What does this mean for the users of IT at MU?
Based on the above information, we strongly advise all users of IT at MU not to install or use the TikTok mobile application on devices that access IS MU and INET. Furthermore, as a user of IT services at Masaryk University, you are obliged to prevent security incidents arising from the MU Directive No. 10/2017 on the use of information technologies (Article 3, paragraphs 3 and 5).
In addition to this duty, think about your information security and the protection of your privacy, as TikTok significantly violates both. Protecting your privacy is essential because TikTok may not be the only app that can invade your privacy. Therefore, it also depends on the other services and applications you use and your behavior.
If you are more interested in the topic, you can try our online course on information security. For more information about the world of cyber security, follow our profile or read one of the educational articles we have prepared for you.