TikTok injects code into third-party web pages when a user opens a browser page in the TikTok app. This code can act as a keylogger, among other things. According to the social medium, the respective code is used only for development purposes.
Developer and Security Researcher Discover Felix Krause That when a user opens a link in the iOS version of TikTok, it opens an in-app browser where the social mediator can inject JavaScript code. This will allow data entered using the keyboard to be logged, including passwords, payment information and other data. He did not investigate whether this was also the case for the Android version of the app.
TikTok confirms vs Forbes That the JavaScript code does exist, but the messages about an alleged keylogger are misleading. The controversial part of the code is said to be an unused part of the third-party SDK. Like other platforms, we also use an in-app browser to provide an optimal user experience. Related JavaScript code is used for correctionAnd the find the mistakes and resolve it And monitor application performance, such as checking page load speed and whether the page is crashing. “
Thus, the keylogger piece of code from the third-party SDK will not be used. It is not clear who this third party is and whether they will actually need keyboard recording software for development purposes. TikTok further suggests that some of the recorded data is only processed locally on the device and is not forwarded to the social medium’s servers.
The researcher says in his findings, which are in line with Previous Tracking Detection by Instagram and Facebook In in-app browsers, the TikTok statement may be true. “Just because an app injects JavaScript into external websites doesn’t necessarily mean that the app is doing something malicious. There is no way to know exactly what data an in-app browser is collecting and whether that data is being forwarded or used.”
So it’s not a given that TikTok actually records users’ keyboard inputs, let alone sends them to their own servers or otherwise stores them. However, it is almost certain that this will be possible. That is why, according to Krause, it is wise to copy browser links via TikTok, but also via Facebook and Instagram, and paste them directly into a trusted browser. In this way, related applications cannot enter a code to record sensitive data in this way.