TikTok may be aware of every screen tap you make and every link you click, a security and privacy researcher warns.
Using software he developed, Felix Krause, who previously worked at Google and Twitter, discovered that TikTok uses code that monitors all keyboard input and touches, which he says is a potential risk to users’ privacy.
“When you open any link in the TikTok iOS app, it opens within your browser in the app,” Krause wrote in a blog post on his website.
Catch the latest news on Channel 7 or stream for free on 7plus >>
A user may be prompted to click a link multiple times while using TikTok, such as when clicking an ad or opening a link in someone’s timeline.
While using the browser within the app, TikTok “subscribes to all keyboard input,” which includes passwords and credit card information.
Krause says that while we can’t know what TikTok uses the subscription for, “from a technical perspective, this is the equivalent of installing a keylogger on third-party websites.”
TikTok may also record every touch on the screen, which includes any touch on a button link, image, or “other component on websites rendered within the TikTok app.”
In a statement provided to Forbes.com, TikTok said it uses the code Krause found, but only for “debugging, troubleshooting, and performance monitoring of that experience.”
Krause provides a solution to move around using an in-app browser, however it does not apply to TikTok.
“Most browsers in the app have a way to open the website that is currently displayed in Safari. As soon as you enter a browser in the app, use the Open in Browser feature to switch to a more secure browser,” he said.
“If that button is not available, you will need to copy and paste the URL to open the link in the browser of your choice. If the app makes it difficult to even do that, you can tap and hold a link on the website and then use the Copy function, which can be a bit tricky to get right.
“TikTok does not have a button to open websites in the default browser.”
The privacy researcher said there is “most likely” some motivation behind companies, like TikTok, tracking users’ activities using an in-app browser, but assured users that the app doesn’t actually steal their passwords or personal addresses.
“I wanted to show that bad actors could have access to this data with this approach,” he said.