TikTok’s in-app browser contains code that could be used to track data such as passwords and credit card numbers – and Apple should beef up security to prevent it, researcher says

Rafael Henrique/SOPA Images/LightRocket via Getty Images

  • A researcher claims that TikTok can monitor user keystrokes on third-party websites, including passwords and credit card numbers.

  • He partly blames Apple, calling on the tech giant to strengthen its App Store review process.

  • TikTok denies collecting this data but appears to confirm it has the ability to track keystrokes.

TikTok’s app includes code that could allow the company to monitor everything users type while using the app, even when they’re redirected to third-party websites, allowing the company to social media app from seeing sensitive data such as passwords and credit card numbers, according to a security researcher who says Apple should take steps to address the potential issue.

Felix Krause says he discovered TikTok’s ability to monitor user data through its in-app browsing feature and published his findings in a blog post on Thursday. Krause found code that showed TikTok has the ability to monitor any keystroke a user makes — even when that user clicks on a link that redirects them to another website.

“It’s the equivalent of a keylogger, which is software that monitors your keystrokes. This includes passwords, credit cards, any sensitive information could be extracted from it,” Krause told Insider.

Although TikTok has this system in place, Krause cautions that it does not necessarily prove that they are using or even collecting this data.

TikTok denies collecting sensitive user data

TikTok vehemently denies collecting the data. During an appearance on CNN in July, TikTok Americas Policy Officer Michael Beckerman said TikTok “doesn’t log what you type. It’s an anti-spam and anti-fraud measure that checks the pace how people type to make sure it’s not a bot or other malicious activity.”

Krause counters that the power to collect the data is still a danger. “Let’s assume TikTok’s claims are correct and they don’t collect the data,” he said. “They claim they don’t now, but that could potentially change in the future. I’m not saying it’s going to happen, but it’s an option, and that’s a problem in itself.”

In a statement to Insider, a TikTok spokesperson appeared to confirm the existence of the code but pushed back on Krause’s report. “The report’s findings on TikTok are incorrect and misleading. The researcher specifically says that the JavaScript code does not mean our app is doing anything malicious, and admits that they have no way of knowing what kind of data our browser in-app collection. Contrary to the report’s claims, we do not collect typing or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring,” said a TikTok spokesperson.

TikTok, which is owned by Chinese company ByteDance, has previously come under fire for privacy concerns. Last month, TikTok confirmed that China-based employees can access US user data through an approval process.

Krause says he thinks part of that problem lies with Apple, which doesn’t require apps to use its Safari browser to view external websites, although he recommends it. Krause said security issues would be mitigated if TikTok used Safari instead of its own in-app browser.

“There are solutions that will allow TikTok to display websites in their app while keeping users safe and maintaining their privacy,” he said.

TikTok isn’t the only app to use in-app navigation, and last week Krause discovered code showing that the Facebook and Instagram Meta apps can monitor users’ movements through their in-app navigation. However, Krause said Meta doesn’t go so far as to monitor user keystrokes.

“The main message here should be that these in-app browser practices shouldn’t even be allowed…Apple should be much stricter in their app review process, they should set new rules about this And they should prohibit any use of in-app browsers for third-party web content,” Krause said.

Apple could not immediately be reached for comment.

Read the original article on Business Insider

About Sandra A. Powell

Check Also

Meta sued for tap-dancing around Apple’s new app privacy rules

from private theater department Last year, Apple received wide coverage about how the company was …