According to a security researcher, TikTok injects Javascript code into external websites that allow it to monitor all keyboard inputs and taps while a user is interacting with a given website.
TikTok's in-app browser subscribes to all keyboard inputs while a user interacts with an external website, including any sensitive details like passwords and credit card information.
"From a technical perspective, this is akin to installing a keylogger on third party websites," wrote Krause in regards to the Javascript code that TikTok injects. The researcher said that even though an app injects Javascript into external websites, it doesn't mean the app is doing anything malicious.
In a statement shared with Forbes, a TikTok spokesman acknowledged the Javascript code in question, but said it was only used to ensure an "optimal user experience"
"Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is only used to check how quickly a page loads or whether it crashes," the statement said.
If possible, users who wish to protect themselves from malicious usage of JavaScript code in in-app browsers should switch to viewing a given link in the platform's default browser.
If you open a link from an app, you should be able to open the website in your browser. Every app offered a way to do this.
The ability to track user activity is given to the apps by the fact that they insert Javascript code into external websites. The company intentionally developed this code to honor people's app tracking transparency choices on our platforms.
There is a tool that anyone can use to check if an in-app browser is injecting javascript code.
Apple did not reply immediately.