According to new research, TikTok can track users’ screen taps when they visit other websites using its iOS app.
The video sharing platform runs code that allows it to monitor text input, such as credit card numbers and passwords, while ‘in-app browsing.’
This occurs when a user opens a third-party site within TikTok rather than another browser such as Safari or Google Chrome.
Software engineer Felix Krause reported his findings last week after analyzing the JavaScript code social media apps run when a user opens a website link within them.
He tweeted: ‘When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information)
‘TikTok also has code to observe all taps, like clicking on any buttons or links.
In the report, he added: ‘We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.’
🔥 New Post: Announcing InAppBrowser – see what JavaScript commands get injected through an in-app browser
— Felix Krause (@KrauseFx) August 18, 2022
👀 TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps.https://t.co/TxN1ezZX71 pic.twitter.com/pQcX5vrEXc
The engineer created a security tool, InAppBrowser.com, that lists the JavaScript commands an iOS app executes when it opens the site.
It reveals that, when browsing a third-party site within TikTok on an Apple device, it has the ability to monitor all keystrokes, text inputs, and screen taps.
Mr Krause also tested the ability of other popular iOS apps to harvest data from users’ taps when they open a third-party website.
This included Instagram, Facebook, Facebook Messenger, Amazon, Snapchat, and Robinhood.
While TikTok had the most extensive surveillance capabilities, Instagram, Facebook, and Facebook Messenger had a similar amount.
However, TikTok is the only app that does not offer the option to open the third-party site in the default browser while in-app browsing.
The software engineer wrote: “There are data privacy and integrity issues when you use in-app browsers … such as how Instagram and TikTok show all external websites inside their app.”
“Their primary motivation is almost purely commercial and financial, whereas with TikTok, there is a national security element that I don’t think is directly present with the others.”
Because TikTok’s app is popular among children as young as 12, its users are likely unaware of the risks of surveillance and data harvesting.
Buzzfeed News reported in June that leaked recordings from more than 80 internal meetings revealed that TikTok employees based in China had repeatedly accessed US user data.