Report: TikTok tracks your keystrokes across external websites, could scrape sensitive data from users

4
260

The social media platform TikTok has code inside its app that allows the Chinese Communist Party-backed company to track users’ activity on external websites, according a report in Forbes magazine.

The author of the original report on the embedded code is a software engineer who found that TikTok can capture your credit card details, passwords, and other forms of personal information, and the choice to use the special lines of code was purposeful.

“This was an active choice the company made, said Felix Krause, who had also analyzed other popular iPhone applications that use in-app browsers, including Facebook, Facebook Messenger, Instagram, Snapchat, Amazon, and Robinhood. None of the other apps had the code that allowed companies to monitor a phone owner’s activities outside of the app itself.

Tracking keystrokes allows the app to gather all manner of sensitive information, including log-ins, passwords, and more.

“When TikTok users enter a website through a link on the app, TikTok inserts code that can monitor much of their activity on those outside websites, including their keystrokes and whatever they tap on the page, according to new research shared with Forbes. The tracking would make it possible for TikTok to capture a user’s credit card information or password,” according to Forbes. The way to avoid this happening is to not click on any websites from the TiokTok app, such as advertisements.

“This is a non-trivial engineering task. This does not happen by mistake or randomly,” Krause told writer Richard Nieva.

“Tiktok strongly pushed back at the idea that it’s tracking users in its in-app browser. The company confirmed those features exist in the code, but said TikTok is not using them,” Nieva wrote.

TikTok issued a statement, explaining that it does not use the code in the way Krause described: “Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes,” spokesperson Maureen Shanahan said.

Krause is founder of Fastlane, a service that tests and deploys apps. The company was acquired by Google several years ago.

The Forbes report is at this link.

4 COMMENTS

  1. I am shocked, shocked I tell ya, to find that there is gambling in this establishment.

    I mean who would have thought that a company 51% owed by the Chinese government was actually being used for purposes other than entertainment of the masses?

    Moreover, I am shocked, shocked I tell ya, to learn that Google, owner of YouTube, has found code in it’s competitors software that could be used to track you.

    Pot, meet kettle.

    If ANY part of this article surprises you, you are a complete fool.

Comments are closed.