Defend free speech and individual liberty online. 

Push back against Big Tech and media gatekeepers.

TikTok’s in-app browser can log all keyboard inputs, including credit cards numbers and passwords

If you’re tired of censorship and surveillance, join Reclaim The Net.

TikTok’s in-app browser on iOS injects Javascript code into external websites, which allows the social media platform to track “all keyboard inputs and taps,” according to security researcher Felix Krause. TikTok said the code is not used for malicious reasons.

Krause added that the keyboard inputs and taps monitored include sensitive data like credit card information and passwords.

“From a technical perspective, this is the equivalent of installing a keylogger on third-party websites,” the security researcher said. However, he acknowledged that “just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious.”

Krause advised those who want to protect themselves from malicious usage of the code to open external websites using iOS’ default browser Safari or whatever default browser they use.

“Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser,” Krause said. “During this analysis, every app besides TikTok offered a way to do this.”

The security expert also created a simple tool to allow people to check if an in-app browser injects Javascript code when opening external websites.

“The researcher said users simply need to open an app they wish to analyze, share the address somewhere inside the app (such as in a direct message to another person), tap on the link inside the app to open it in the in-app browser, and read the details of the report shown,” reported tech news outlet MacRumors.

Speaking to Forbes, a spokesperson for TikTok admitted they use the Javascript code, but claimed it was not used for malicious purposes.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” the spokesperson said.

If you’re tired of censorship and surveillance, join Reclaim The Net.

Read more

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.