Request Media Kit

TikTok Under Fire for Potential Keylogging, Some Say Concern Is Overblown

A security researcher has called out TikTok for inserting code in its in-app browser that could be used to log keystrokes, but not everyone is convinced....
TikTok Under Fire for Potential Keylogging, Some Say Concern Is Overblown
Written by Matt Milano
  • A security researcher has called out TikTok for inserting code in its in-app browser that could be used to log keystrokes, but not everyone is convinced.

    TikTok is frequently in the news over concerns with its handling of user data and how much influence — and access to that data — Beijing has. In the latest round of concerns, security researcher Felix Krause has highlighted the dangers of apps that have their own in-app web browsers, including TikTok.

    According to Krause, TikTok’s in-app browser injects JavaScript into third-party websites when a user visits them from within the app. The code can be used for a variety of purposes, including logging keystrokes and collecting sensitive information.

    Krause admits that he can’t say for sure how TikTok is using the JavaScript code it’s inserting:

    We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.

    Read more: Oracle Begins Audit of TikTok’s Algorithms for Beijing’s Influence

    Zach Edwards ― the security researcher that discovered some Microsoft trackers were not blocked by DuckDuckGo before the latter fixed the issue — pointed out the dangers of conflating what could happen with what is happening.

    https://twitter.com/thezedwards/status/1560654278900928512?s=20&t=oiC5Zff5CS5sh8f-oEie0A

    TikTok sent the following statement to Motherboard, strongly denying Krause’s implication:

    The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report’s claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.

    Only time will tell if TikTok is collecting the data people type in the in-app browser, although doing so would likely be the smoking gun regulators would need to crack down on the service. Given how high the stakes are and the lack of any evidence, it seems unlikely that TikTok is guilty of this particular offense.

    At the same time, TikTok remains one of the most controversial apps or services available, with more than its fair share of privacy issues. That alone will make it hard for some people to believe the company isn’t guilty.

    Get the WebProNews newsletter
    delivered to your inbox

    Get the free daily newsletter read by decision makers

    Subscribe
    Advertise with Us

    Ready to get started?

    Get our media kit