TikTok’s in-app browser has the ability to monitor certain types of user activity on external websites it accesses, new research shows.
According to research published Thursday by Felix Krause, a Vienna-based software researcher, when TikTok users access a website through a link in the TikTok app, the app inserts code into the website that allows TikTok to monitor activity such as keystrokes and what they tap users of this site.
This may allow TikTok to capture personal user information such as credit card numbers and passwords. The app can insert the code and modify websites to allow this monitoring because the sites are opened in TikTok’s in-app browser, not a standard one like Chrome or Safari.
“It was an active choice that the company made,” Krause told Forbes, which first reported the findings. “It’s a non-trivial engineering task. It doesn’t happen by mistake or by chance.” Krause is the founder of the application testing company Fastlane, which Google acquired five years ago.
TikTok did not respond to an email from CNET seeking comment. TikTok spokeswoman Maureen Shanahan confirmed to Forbes that these features exist in the code, but said that TikTok does not use them to track users.
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is only used to debug, troubleshoot and monitor the performance of that experience – like checking how fast it loads a given page or whether it crashes,” she said in a statement to the publication.
TikTok added that the code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps, and that the SDK includes features that TikTok does not use.
The news comes amid long-standing security and surveillance concerns about the TikTok app and its ownership by The Chinese company ByteDance. Some U.S. officials say TikTok threatens national security because ByteDance could share data about Americans collected through the app with the Chinese government, which could then weaponize it against Americans. TikTok has repeatedly said it would never do this.
Krause’s research looks at more than just TikTok. In total, it tested seven iPhone apps that use in-app browsers, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon, and Robinhood. Of those, TikTok is the only one that appears to track keystrokes, Krause said. Krause has not tested the Android version of TikTok’s app.
/cdn.vox-cdn.com/uploads/chorus_asset/file/22015306/vpavic_4278_20201030_0292.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/23935560/acastro_STK103__03.jpg)
