TikTok browser can track users’ keystrokes, according to new research

The web browser used within the TikTok app can track every keystroke made by its users, according to new research that is surfacing as the Chinese-owned video app grapples with US lawmakers’ concerns over its data practices.

The research from Felix Krause, a privacy researcher and former Google engineer, did not show how TikTok used the capability, which is embedded within the in-app browser that pops up when someone clicks an outside link.

But Krause said the development was concerning because it showed TikTok had built in functionality to track users’ online habits if it chose to do so.

“Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites,” said Jane Manchun Wong, an independent software engineer and security researcher who studies apps for new features.

She said TikTok’s in-app browser could “extract information from the user’s external browsing sessions, which some users find overreaching”.

In a statement, TikTok, which is owned by Chinese internet firm ByteDance, said that Krause’s report was “incorrect and misleading” and that the feature was used for “debugging, troubleshooting and performance monitoring”.

“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code,” TikTok said.

Krause, 28, said he was unable to ascertain whether keystrokes were actively being tracked and whether that data was being sent to TikTok.

The research could raise questions for TikTok in the United States, where government officials have scrutinised whether the popular app could endanger US national security by sharing information about Americans with China.

While Facebook and Instagram can use in-app browsers to track data like what sites a person visited, what they highlighted and which buttons they pressed on a website, TikTok goes further by using code that can track each character entered by users, Krause said.

Krause said that he carried out the research on TikTok only on Apple’s iOS operating system and noted that the keystroke tracking would only occur within the in-app browser.

As with many apps, TikTok offers few chances for people to click away from its service. Instead of redirecting to mobile web browsers like Safari or Chrome, an in-app browser appears when users click on ads or links embedded within the profiles of other users. These are often the moments people enter key information like credit card details or passwords.

Michael Beckerman, a TikTok policy executive, denied that the company logs users’ keystrokes but acknowledged monitoring their patterns, such as typing frequency, to safeguard against fraud.

Krause said he feared those tools had “very similar architectures” and could be repurposed to track keystroke content. “The problem is they have infrastructure set up to do this stuff,” he said.

 

SOURCE: NEWS AGENCIES