TikTok’s customer in-app browser on iOS injects JavaScript code into external websites. allowing TikTok to monitor “all keyboard inputs and taps” while the user visits a website in the app, says security researcher Felix Krause,
Krause says this is the equivalent of installing a keylogger on third-party websites. However, TikTok has reportedly denied that the code is used for malicious purposes.
Krause says TikTok’s in-app browser “subscribes” to all keyboard input while a user interacts with a website, including sensitive personal and financial information, like passwords and credit card information.
While Krause says this is the equivalent of installing a keylogger on third-party websites, he also added that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious.”
In a statement shared with Forbes, a TikTok spokesperson acknowledged the JavaScript code in question, but said it is only used for debugging, troubleshooting, and performance monitoring to ensure an “optimal user experience.”
“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” the statement said, according to Forbes.
Krause said users should switch to viewing a given link in the platform’s default browser if possible, such as Safari on the iPhone and iPad.
“Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser,” wrote Krause. “During this analysis, every app besides TikTok offered a way to do this.”