TikTok In-App Browser Knows Everything You Type, Says Researcher

TikTok browser keylogger

Photo Credit: Eyestetix Studio

A security researcher suggests TikTok’s in-app browser behaves like a ‘keylogger’ for its ability to track keystrokes and more.

Tapping on a link in the TikTok app doesn’t open that page on your phone’s browser. Instead, TikTok uses an in-app browser that is capable of monitoring users activity on any website accessed using the in-app browser. This level of tracking would make it possible for TikTok to capture credit card information, passwords, SSNs, or any other sensitive information a person may enter.

TikTok tracks users by injecting lines of JavaScript code onto the websites visited within its in-app browser. “This was an active choice the company made,” says Felix Krause, a software researcher who lives in Vienna. Krause published the findings on his website Thursday. “This is a non-trivial engineering task. This does not happen by mistake or randomly.” Digital Music News has been reporting on unscrupulous behavior from the TikTok app for several years now.

When you open any link in the TikTok iOS app, it’s opened inside the in-app browser. While browsing, TikTok tracks all keyboard inputs and every tap on the screen – like which buttons and links are clicked. After news of the report circulated this weekend, a TikTok spokesperson reached out to Forbes to offer a comment. This report confirms that the keylogger feature exists but refutes that TikTok is using or collecting the data.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting and performance monitoring of that experience – like checking how quickly a page loads or whether it crashes,” TikTok spokesperson Maureen Shanahan told Forbes. Krause says the above statement is an admission that the app does exactly as he has reported. TikTok injects code into third-party websites through their in-app browsers that behaves like a keylogger.

Meanwhile, the U.S. House of Representatives’ Chief Administrative Officer has issued a cyber advisory on TikTok, labeling it ‘high-risk’ with personal information accessed from within China. “We do not recommend the download or use of this application due to these security and privacy concerns,” the statement reads.