A new report claims that the in-app browser used by TikTok injects JavaScript code into external websites allowing it to track “all keyboard inputs” during a user’s interaction with a website.
TikTok is one of the most popular social media platforms nowadays. While iOS limits such apps from tracking users, with features such as App Tracking Transparency, security researcher Felix Krause claims that TikTok uses unconventional methods to monitor its users. The researcher claims that the JavaScript code injection allows the app to record all the keyboard inputs while a user interacts with an external website.
In simple terms, it means that the TikTok app can record any sensitive details like passwords and credit card information that you enter when using the app’s in-app browser. The researcher, on the other hand, believes that injecting JavaScript into a website does not constitute malicious activity.
In a statement to Forbes, a TikTok spokesperson confirmed the app’s unusual behavior but added that the company uses the data provided by the script to debug, troubleshoot, and monitor performance to ensure an “optimal user experience.”
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes”
And it’s not only TikTok. Krause found that other social media apps such as Facebook and Instagram also follow a similar practice on their in-app browsers. A Meta spokesperson said that the company “intentionally developed this code to honor people’s App Tracking Transparency (ATT) choices on our platforms.”
Krause advises users to switch to Safari whenever they open a link on their social media apps to protect themselves from potential malicious JavaScript code. He also shared a tool called InAppBrowser.com if an app injects JavaScript code into third-party websites. You can learn more about it right here.
