TikTok’s In-App Browser Reportedly Capable of Monitoring Anything You Type

Security researcher Felix Krause claims that TikTok’s iOS custom in-app browser injects JavaScript code into external websites, enabling TikTok to track “all keyboard inputs and taps” while a user is interacting with a particular website. TikTok has reportedly denied that the code is used maliciously.

Krause said that when a user is interacting with an external website, TikTok’s in-app browser “subscribes” to all keyboard inputs, including any sensitive information like passwords and credit card information, along with each touch on the screen.

According to Krause, the JavaScript code that TikTok injects is comparable to installing a keylogger on third-party websites from a technological standpoint. The researcher did point out, however, that “simply because an app injects JavaScript into other websites, doesn’t indicate the app is doing anything dangerous.”

A TikTok representative admitted the disputed JavaScript code in a statement sent to Forbes, but said it was solely used for performance monitoring, debugging, and troubleshooting in order to guarantee a “optimal user experience.”

According to a statement to Forbes, “like other platforms, we use an in-app browser to deliver an optimal user experience, but the… Javascript code is used only for debugging, troubleshooting, and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.”

Krause advised users to examine a particular link on the platform’s default browser, such as Safari on the iPhone and iPad, in order to safeguard themselves against any potential harmful use of JavaScript code in in-app browsers.

Check to see whether the app has a mechanism to view the presently displayed website in your usual browser whenever you click a link from any app, said Krause. Every app we looked at throughout our investigation, except TikTok, provided a mechanism to accomplish this.

According to Krause, Facebook and Instagram are two other applications that add JavaScript code to external webpages loaded in their in-app browsers, enabling the apps to monitor user activities. A representative for Meta, the corporation that owns Facebook and Instagram, said in a tweet that it “specifically created this code to respect people’s App Tracking Transparency (ATT) preferences on our platforms.”

By using a simple tool, anybody can determine if an in-app browser is injecting JavaScript code while viewing a webpage, according to Krause. The researcher said that users just needed to launch the app they wanted to examine, share’s URL anywhere within the app (such in a direct message to a friend), touch on the link to open the app’s in-app browser, and then read the report’s data.

“The report’s findings about TikTok are false and deceptive. The researcher explicitly states that the JavaScript code does not imply that our app is doing maliciously, and acknowledges that they are unable to determine what sort of information our in-app browser gathers. Contrary to what the report alleges, we do not record keystrokes or text inputs using this code; it is only used for performance monitoring, debugging, and troubleshooting.”

The “keypress” and “keydown” routines cited by Krause are typical inputs that TikTok does not employ for keystroke monitoring, according to a TikTok spokesman. The JavaScript code is a component of an SDK that TikTok is using.

Leave a Reply

Your email address will not be published. Required fields are marked *