TikTok monitors everything users type when using in-app browser

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

TikTok's in-app browser injects JavaScript into external websites, allowing the app to monitor all input, including passwords and credit card numbers.

In 2020, it was discovered that TikTok had been accessing users' clipboards. Now, TikTok has been found snooping on its users once again.

According to security researcher Felix Krause, whenever users open a link in TikTok, the app is then allowed to monitor everything a user does on that external website. This includes anything typed, as well as taps on buttons and links.

"This was an active choice the company made," Krause told Forbes. "This is a non-trivial engineering task. This does not happen by mistake or randomly."

A TikTok spokesperson told Forbes that the code isn't malicious but instead is used for "debugging, troubleshooting, and performance monitoring."

Additionally, TikTok claimed that the JavaScript is part of a third-party software development kit but did not disclose who made it.

Krause could not say whether or not TikTok has been collecting data from users, merely that it can.

To avoid being monitored, Krause suggests opening links shared in TikTok — and nearly every other service with an in-app browser — with Safari.

Update

TikTok reached out to AppleInsider to provide the following statement.

"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."