Image: © HTGanzo/Stock.adobe.com
TikTok’s use of code is the ‘equivalent of installing a keylogger on third-party websites’, according to a privacy researcher. But the company says this code is used for debugging and performance monitoring.
TikTok has denied claims by developer and privacy researcher Felix Krause that its in-app browser is keylogging user data.
Krause published a report saying that the video-sharing platform subscribes to every keystroke happening on third-party websites that are rendered inside the iOS TikTok app – which could include passwords, credit card information and other sensitive user data.
“We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites,” he wrote.
Krause said that TikTok uses a JavaScript function to get details on the element of the website a user clicks on. He did add the caveat that just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious.
“There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”
In a statement issued to SiliconRepublic.com, TikTok called the claims made in Krause’s report “incorrect and misleading”.
“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” a spokesperson said.
“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring.”
TikTok is not the only platform under scrutiny from Krause. He has also looked at in-app browser data collection by companies such as Meta, the owner of Instagram and Facebook.
He introduced a tool called InAppBrowser.com, a resource that lets you check if an app you are using is injecting JavaScript code that could cause potential security and privacy risks.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
