TikTok’s in-app browser has the ability to monitor certain kinds of user activity on the external websites accessed with it, new research shows.
According to research published Thursday by Felix Krause, a Vienna-based software researcher, when TikTok users access a website through a link in the TikTok app, the app inserts code into the website that allows TikTok to monitor activity like keystrokes and what users are tapping on that site.
That could allow TikTok to capture personal user information like credit card numbers and passwords. The app is able to insert the code and modify the websites to allow that monitoring because the sites are opened in TikTok’s in-app browser, rather than in a standard one like Chrome or Safari.
“This was an active choice the company made,” Krause told Forbes, which first reported the findings. “This is a non-trivial engineering task. This does not happen by mistake or randomly.” Krause is the founder of the app-testing company Fastlane, which Google acquired five years ago.
TikTok didn’t respond to a CNET email seeking comment. TikTok spokesperson Maureen Shanahan confirmed to Forbes that those features exist in the code but said TikTok doesn’t use them to track users.
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” she told the publication in a statement.
TikTok added that the code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps, and that the SDK includes features TikTok doesn’t use.
The news comes amid long-running security and surveillance concerns about the TikTok app and its ownership by the Chinese company ByteDance. Some US officials say TikTok threatens national security because ByteDance could share data about Americans collected through the app with the Chinese government, which could then weaponize it against Americans. TikTok has repeatedly said it would never do this.
Krause’s research looked at more than just TikTok. In total, he tested seven iPhone apps that use in-app browsers, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. Of those, TikTok is the only one that appears to monitor keystrokes, Krause said. Krause didn’t test the Android version of TikTok’s app.
Leave a Reply