TikTok’s in-app web browser allegedly tracks everything its users type, including login credentials, passwords, even sensitive information like credit card numbers and payment details.
According to the news published by Apple Insider, a security researcher discovered that when TikTok users browse external links using its in-app browser, the social media platform monitors what they type while using it.
The latest discovery by Felix Krause, a cybersecurity researcher, reveals that the in-app browser also tracks links and buttons clicked by its users.
The cybersecurity researcher claims that the in-app web browser on the social media service loads JavaScript on external sites its users visit. It then allows TikTok’s users to track their activity, which alarmingly includes everything they type. This JavaScript code reportedly allows the social media giant’s users to track their passwords elsewhere.
Researcher Krause states in an interview with Forbes that extended tracking in TikTok’s in-app browser was “an active choice the company made.” He also goes on to say that “this is a non-trivial engineering task” and states that this type of JavaScript injection “does not happen accidentally or randomly.”
Description from TikTok
A TikTok spokesperson acknowledged the JavaScript code in question in a statement to Forbes. But the Chinese social network said that the code that monitors the typing activities of its users in its in-app browser is not malicious at all. Instead, TikTok claims that the purpose of the JavaScript code in its browser is limited to performance monitoring, troubleshooting, and debugging.
Essentially, the giant social media platform says it’s just trying to improve the overall experience of its millions of users.
A TikTok spokesperson said what they do is similar to other competing platforms, saying they use “an in-app browser to provide an optimal user experience.”
.