Reverse engineering the obfuscated TikTok VM

There is no legitimate reason for a social media platform to employ this much obfuscation.

It's to keep bots away and not turn to be another Twitter.

That's probably not the goal. There are bots advertising illegal services (e.g. ads for "hacking services", illegal drugs) in most comment sections. If you report these comments, 99.9% of the time the report will be rejected with "no violations found" and the spam stays up.

The legitimate reason could be bot protection, the same way recaptcha uses a similar VM technique for obfuscation.

See my other comment on this thread: https://news.ycombinator.com/item?id=43748994

That doesn’t mean that it’s “probably not the intention”.

You not being able to come up with one is different from there not being any possible reason.

This is not a social media platform but a government backed tool for doing stuff for the government.

The balance of evidence suggests otherwise. If they cared about spam bots they would take action when spammers are handed to them on a silver platter. The kinds of spammers who will leave 30 identical comments advertising illegal services, not some weird moderation corner case.

If you ever end up on a video that's related to drugs, there will be entire chains of bots just advertising to each other and TikTok won't find any violations when reported. But sure, I'm sure they care a whole lot about not ending up like Twitter.

If you believe this you underestimate how adversarial the software world really is. TikTok will be on the receiving end of botnets by everything from commercial entities, state backed groups and criminals.

They won't be betting that this stops that entirely, but it adds a layer of friction that is easy for them to change on a continuous basis. These things are also very good for leaving honeypots in where if someone is found to still be using something after a change you can tag them as a bot or otherwise hacking. Both of those approaches are also widely used in game anti-cheat mechanisms, and as shown there the lengths people will go to anyway are completely insane.

So you're saying that TikTok's support team doing a poor job of handling reports is proof that the engineering team wasn't tasked with reducing spam by writing code obfuscation?

TikTok is a huge company, evidence of what the support department does or doesn't do has only minor bearing on the whole company, and basically none on the engineering department.

The thing that seems most likely to me is that they care about spam, the engineering department did this one thing, and the support department is either overworked or cares less. Or really efficient which is why you only see "a lot of spam", not "literally nothing but spam".

A large company is much less cohesive than you realize. You can't reliably reason about the goals of one part because another part isn't consistent. This particular difference could easily be explained by insufficient funding to moderation, which is endemic in social media.

It's an excellent strategy for the reasons you mention. And a kind of "security by principle of least privilege".

Nah..I agree with the parent comment, there is simply no legitimate reason for a social media app to employ this level of obsfucation.

Because bots cant interact with web pages at the browser level like humans do...

If you ran a social media site and app, and had a problem of many different groups employing bots to post tons of content for nefarious purposes to your site, what would you do?

I've said this twice already, it's not that another part "isn't consistent" (I would agree that this is to be expected), they're CONSISTENTLY acting in the opposite manner than is being speculated here and I subscribe to the "purpose of a system is what it does" world view.

I guess Id probably be doing something similar to what all the other social media apps are doing (unless of course, I had something to hide...)

If you really subscribed to POSIWID, you wouldn't be making arguments like "That's probably not the goal", as that's nonsensical from the POSIWID perspective.

The nominal goal of the code could well be bots at the same time the POSIWID purpose is about the exec impressing his superiors and the developers feeling smart and indulging their pet technical interests. Similarly, the nominal goal of the abuse reporting system would include spam, even if the POSIWID analysis would show that the true current purpose is to say they're doing something while keeping costs low.

So again, I don't think you have a lot of understanding of how large companies work. Whereas I, among other things, ran an anti-abuse engineering team at Twitter back in the day, so I'm reasonably familiar with the dynamics.

What are the other social media apps doing? Are you sure they're not using obfuscated VMs as well?

I'm guessing a lot of them use reCAPTCHA, and according to this comment, reCAPTCHA uses an obfuscated VM:

https://news.ycombinator.com/item?id=43748994

Yep I'd probably go with a reCaptcha like everybody else except TikTok then.