SecureMac, Inc.

Checklist 305: Dangers in the Latest Thing

December 1, 2022

We look at Mastodon security and privacy; a TikTok malware scam; and why we still need to talk about passwords.

Checklist 305: Dangers in the Latest Thing

On this week’s Checklist:

  • Are Twitter alternatives safe?
  • A TikTok malware scam
  • Why old password advice is still relevant 

Mastodon and user security

Twitter is in turmoil, leading many longtime users to seek out other social platforms. One such alternative is Mastodon, described by website as:

…an open-source, self-hostable microblogging platform similar to Twitter or Tumblr. Here users make profiles, post messages, images, and videos, and follow other users. The messages usually have a 500-character limit that follows a chronological order. 

Mastodon has a few things going for it in terms of security and privacy. It’s decentralized and crowdfunded, which means that there’s no giant tech company keeping track of user activity and/or trying to monetize it. In fact, Mastodon says it doesn’t collect any user data!

However, this decentralization may also prove to be an issue for security, as Ars Technica points out:

[Mastodon administrators]…may not be versed in the nuances of security. The difficulty of configuring and maintaining instances leaves plenty of room for mistakes that can put user passwords, email addresses, and IP addresses at risk of being revealed…

But on the positive side of things, Mastodon does seem to be concerned about security (it’s big on two-factor authentication, for example). And the fact that the platform isn’t collecting user data at all means that there’s less incentive for bad guys to attempt a data breach—after all, you can’t steal what isn’t there!

For tips on how to stay safe on the platform, check out our guide to Mastodon security and privacy.

TikTok has been around for a while, but the latest security issue on that social platform is “the invisible challenge.” 

The short version is that TikTok has a visual effects filter that makes you invisible on video. TikTokers have been testing the limits of the filter by trying it out in…ahem…various states of undress.

This has spawned an interesting cybersecurity threat: Bad guys are now offering an “Unfilter” that promises to reverse the effects of the aforementioned TikTok invisibility filter and reveal unclothed TikTokers. But surprise, surprise—there is no “Unfilter.” It’s just malware. 

Using social engineering techniques and TikTok’s own platform, the bad guys are trying to get people to download the malware and install it on their devices. 

And it’s fairly nasty stuff. As The Register reports:

After tricking people into downloading the malware, the criminals have access to victims’ devices, including Discord passwords and contacts, which they can then use to spoof the victim and scam their contacts.

So how does one avoid scams like this? By following a couple of basic best practices for download security. Never download and install software simply because someone told you to—and only get your software from reliable sources. On a Mac, that means the Mac App Store or the website of a developer you know and trust. On iOS, that means the App Store.

Bad passwords: a perennial problem

Password manager NordPass has released data on the most commonly used bad passwords last year. It’s…disheartening. 

It seems that people are still using such gems as “123123,” “111111,” “qwerty,” and, of course, “password.”

Also popular in 2021-2022 were passwords involving recent hit movies and TV shows (“Batman,” “Euphoria,” and “Encanto” were among the most popular password choices in this category of poor passwords).

It’s reports like these that make us keep repeating the same password advice year in, year out—because apparently, there are still folks who need to hear it.

If you’re a regular listener of the podcast, we know that’s probably not you…but it probably is someone you know. So take a moment this week to share the fundamentals of password security with somebody you care about: 

Get the latest security news and deals