TikTok injects code into third-party web pages when a user opens a browser page in the TikTok app. This code could serve as a keylogger, among other things. According to the social medium, the code in question is only used for development purposes.
Developer and security researcher Felix Krause found that when a user opens a link in the iOS version of TikTok, an in-app browser opens where the social medium can inject JavaScript code. This would allow data entered with the keyboard, including passwords, payment information and other data, to be recorded. He did not investigate whether this is also the case for the Android version of the application.
TikTok confirms to Forbes that the JavaScript code is indeed present, but that the messages about an alleged keylogger are misleading. The controversial piece of code is said to be an unused part of a third-party SDK. “Like other platforms, we also use an in-app browser to provide an optimal user experience. The relevant JavaScript code is used for debugging, troubleshooting and monitoring the performance of the application, for example to check the loading speed of a page and if the page crashes.”
Thus, the keylogger portion of the code from the third party SDK would not be used. It is not clear who this third party is and whether they would actually need a keylogger for development purposes. TikTok further suggests that certain registered data is only processed locally on the device and is not forwarded to servers of the social medium.
The researcher says in his findings, which are in line with the earlier discovery of tracking by Instagram and Facebook in in-app browsers, that TikTok’s statement could possibly be correct. “Just because an app injects JavaScript into external websites doesn’t necessarily mean the app is doing something malicious. There’s no way of knowing exactly what data an in-app browser collects and whether this data is being forwarded or used.”
It is therefore not a given that TikTok indeed records the keyboard input of users, let alone sends it to its own servers or otherwise stores it. However, it is almost certain that this would be possible. For that reason, according to Krause, it is wise to copy browser links via TikTok, but also via Facebook and Instagram, and paste them directly into a trusted browser. In this way, the relevant applications cannot inject code to register sensitive data in this way.