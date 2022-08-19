Researchers: TikTok’s built-in browser has a keylogger

According to a report by security researcher Felix Krause, the iOS version of TikTok’s built-in browser (in-app broser) has specific JavaScript code embedded in it, allowing TikTok to monitor any keyboard input and click operations of users browsing the web. TikTok admits that the code exists, but denies that it was used for improper purposes.



Photo credit / Solen Feyissa

“From a technical point of view, it is equivalent to installing a keyboard skimmer on a third-party website.” Felix Krause said that TikTok can use this to monitor any characters that users type on the website, which may include sensitive information such as passwords and credit cards; Track clicked images, URL links, or any keystroke on your website.

Although the report does not contain evidence that TikTok collects sensitive user data, it is the only app capable of monitoring typing commands among the seven built-in browsers on iOS tested by the study. The remaining six apps are Facebook, Messenger, Instagram, and Snapchat. , Amazon, Robinhood.

A TikTok spokesperson admitted the existence of the JavaScript code through Forbes, saying that it is limited to legitimate uses such as troubleshooting and performance monitoring to ensure the best user experience. “Like other platforms, we use the built-in browser to provide the best user experience, but the associated JavaScript code is only used for experience debugging, troubleshooting, performance monitoring, such as checking page loading speed or crashing and no.”

On the other hand, Krause named Facebook and Instagram for iOS last week, both of which have built-in browsers that can also track user web activity, including button clicks, links, images, and more. Meta responded that the original intention of adding this code is to respect the user’s ATT choice. ATT refers to App Tracking Transparency, which Apple introduced last year.

Krause suggested that to avoid being monitored by app developers, try to use an external browser, such as Safari on the iPad and iPhone. If the built-in browser of the app does not provide a jump button, such as TikTok, you can copy the URL of the webpage; if there is no URL, you can try to copy the link URL on the webpage, and then continue to browse the webpage through an external browser.