As the Chinese-owned video app TikTok grapples with U.S. lawmakers' concerns over its data practices, new research shows that the web browser it uses can track every single keystroke made by its users.
The research done by Felix Krause did not show how TikTok uses the capability, which is embedded within the in-app browser that pops up when someone clicks an outside link. The development showed that TikTok had built in a way to track users online habits if it chose to do so.
Credit card numbers and passwords can be found on websites that collect information on what people type on their phones. It is not common for major technology companies to release a major commercial app with a feature even if it is enabled.
Jane Manchun Wong is an independent software engineer and security researcher who studies apps.
TikTok has an in-app browser that can extract information from the user's external browsing sessions.
TikTok, which is owned by the Chinese internet firm ByteDance, said that the report was incorrect and that it was used for performance monitoring.
TikTok said that they don't collect text or keystrokes through this code.
Mr. Krause couldn't say if the data was being sent to TikTok or if it was being tracked.
Government officials in the United States are scrutinizing whether the popular app could endanger national security by sharing information about Americans with China. Concerns about the data practices and ties to its Chinese parent have boiled over in recent months, despite the fact that debate about the app had faded under the Biden administration.
In-app browsers can be used to prevent people from visiting malicious sites or to make online browsing easier with the auto- filling of text. While in-app browsers can be used to track data like what sites a person visited, what they highlighted and which buttons they pressed on a website, TikTok uses code that can track each character entered by users.
A spokesman for Meta wouldn't say anything.
The research on TikTok only took place on Apple's operating system, and the in-app browser was where the tracking would take place.
TikTok doesn't offer a lot of chances for people to leave its service. When users click on ads or links in the profiles of other users, an in-app browser appears instead of redirecting to a mobile web browser. These are the moments when people enter important information.
In a CNN interview in July, Michael Beckerman, a TikTok policy executive, denied that the company logs users' keystrokes.
Mr. Krause thought those tools could be used to track keystrokes.
He said that the infrastructure was the problem.