TikTok's in-app browser can reportedly monitor everything you type

TikTok’s in-app browser can reportedly monitor everything you type

TikTok’s custom in-app browser on iOS reportedly injects JavaScript code into third-party websites that allows TikTok to monitor “all keyboard inputs and taps” while a user interacts with a particular website, according to security researcher Felix Krause, but TikTok has reportedly denied that. the code is used for malicious reasons.

tiktok logo
Krause said TikTok’s in-app browser “subscribes” to all keyboard input while a user interacts with a third-party website, including sensitive details such as passwords and credit card information, along with every tap on the screen.

“From a technical standpoint, this is the equivalent of installing a keylogger on third-party websites,” Krause wrote of the JavaScript code that TikTok injects. However, the researcher added that “just because an app injects JavaScript into external websites doesn’t mean the app is doing anything malicious.”

In a statement shared with Forbesa TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting and performance monitoring to ensure an “optimal user experience”.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is only used for debugging, troubleshooting and performance monitoring of that experience – such as checking how fast a page loads or that it crashes,” the statement said Forbes.

Krause said that users who want to protect themselves from potentially malicious use of JavaScript code in in-app browsers should switch to viewing a particular link in the platform’s default browser, such as Safari on the iPhone and iPad, if possible.

“If you open a link from within an app, see if the app provides a way to open the currently displayed website in your default browser,” Krause wrote. “During this analysis, every app except TikTok provided a way to do this.”

Facebook and Instagram are two other apps that insert JavaScript code into third-party websites loaded in their in-app browsers, allowing the apps to track user activity, Krause said. In a tweetA spokesperson for Facebook and Instagram parent company Meta said the company “purposely developed this code to respect people’s App Tracking Transparency (ATT) choices on our platforms.”

Krause said he created a simple tool that allows anyone to check if an in-app browser injects JavaScript code when rendering a website. The researcher said users should simply open an app they want to analyze, share the InAppBrowser.com address somewhere in the app (such as in a direct message to another person), tap the link in the app to open it in the in-app browser, and read the details of the displayed report.

Apple did not immediately respond to a request for comment.


#TikToks #inapp #browser #reportedly #monitor #type

Leave a Comment

Your email address will not be published. Required fields are marked *