TikTok monitors everything users type when using in-app browser
TikTok's in-app browser injects JavaScript into external websites, allowing the app to monitor all input, including passwords and credit card numbers.
In 2020, it was discovered that TikTok had been accessing users' clipboards. Now, TikTok has been found snooping on its users once again.
According to security researcher Felix Krause, whenever users open a link in TikTok, the app is then allowed to monitor everything a user does on that external website. This includes anything typed, as well as taps on buttons and links.
"This was an active choice the company made," Krause told Forbes. "This is a non-trivial engineering task. This does not happen by mistake or randomly."
A TikTok spokesperson told Forbes that the code isn't malicious but instead is used for "debugging, troubleshooting, and performance monitoring."
Additionally, TikTok claimed that the JavaScript is part of a third-party software development kit but did not disclose who made it.
Krause could not say whether or not TikTok has been collecting data from users, merely that it can.
To avoid being monitored, Krause suggests opening links shared in TikTok -- and nearly every other service with an in-app browser -- with Safari.
"The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."
Read on AppleInsider
In 2020, it was discovered that TikTok had been accessing users' clipboards. Now, TikTok has been found snooping on its users once again.
According to security researcher Felix Krause, whenever users open a link in TikTok, the app is then allowed to monitor everything a user does on that external website. This includes anything typed, as well as taps on buttons and links.
"This was an active choice the company made," Krause told Forbes. "This is a non-trivial engineering task. This does not happen by mistake or randomly."
A TikTok spokesperson told Forbes that the code isn't malicious but instead is used for "debugging, troubleshooting, and performance monitoring."
Additionally, TikTok claimed that the JavaScript is part of a third-party software development kit but did not disclose who made it.
Krause could not say whether or not TikTok has been collecting data from users, merely that it can.
To avoid being monitored, Krause suggests opening links shared in TikTok -- and nearly every other service with an in-app browser -- with Safari.
Update
TikTok reached out to AppleInsider to provide the following statement."The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."
Read on AppleInsider
Comments
And IMO, TikTok is an absolute scourge on humanity. I refuse to use it. There are so many negatives with that app. People are addicted, it creates an echo chamber, wastes time, shortens attention spans shorter than they already are, instant satisfaction machine, and propagates DANGEROUS fads. I know I sound like a boomer, but I'm a millennial and I see nothing but severe badness and societal detriment in TikTok. Not even to mention the absurd amount of data harvesting it is obviously doing, as demonstrated here.
I would think the point made by the OP is that if a developer (like TikTok) can get such an app into the Apple App Store, image how much easier it would be for developers to get such an app into a third party app store. Things will get worse ...... you can't really argue that point. Unless you go off using some form of logical fallacy.
https://247wallst.com/technology-3/2021/08/06/whats-up-with-apple-pushback-on-apple-privacy-security-claims/
https://en.wikipedia.org/wiki/List_of_Unreal_Engine_games <--
How good they are or aren't isn't relevant. It's about competition and choice.
It would not surprise me if they're monitoring keystrokes. They certainly monitor every single keypress within their apps otherwise.
https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says
TikTok argues that the “keypress” and “keydown” inputs identified by Krause are common inputs — claiming it is incorrect to make the assumptions about their use based only on the code being highlighted by the research.
To back this up the spokesperson pointed to some non-TikTok same code from Github which they suggested would trigger exactly the same response being cited by the research as evidence of improper data collection but is rather being used to a trigger a command known as ‘StopListening’ that they said would specifically prevent an application capturing what is typed.
While I agree with you, couldn't the same argument be made that this "vulnerability" exists even with the App Store protections in place? With this news, will Apple remove TikTok from the store until it's resolved?
As for the spokesperson's response... "debugging, troubleshooting, and performance monitoring", the first two don't belong in the public release of an app, so they are lying. This is spying, plain and simple.
What are you talking about? Neither the Messages app nor the Phone app are at fault for spammy incoming messages or phone calls. You're not getting called "from Apple's own Phone app". It's receiving the call.
it's up to you to verify, delete and block such requests that make it through the filtering.