Chinese short-form video app TikTok may be monitoring all keyboard inputs and taps via its in-app browser on iOS, said independent cyber-security researcher Felix Krause.
Founder of Fastlane that was acquired by Google, Krause said that when the user opens any link on the TikTok iOS app, it’s opened inside their in-app browser leveraging access to other information.
“While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card info) and every tap on the screen, like which buttons and links you click,” Krause claimed in a blog post on Thursday.
From a technical perspective, it amounts to installing a keylogger on third-party websites and the company confirmed those features exist in the code but deneid that it was using them.
It proves that “TikTok injects code into third party websites through their in-app browsers that behaves like a keylogger. However, claims it’s not being used,” said the researcher. “This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly.”
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience – like checking how quickly a page loads or whether it crashes,” a company spokesperson was quoted as saying in a Forbes report.