Google Engineer and privacy researcher, Felix Krause (Vienna-based software researcher) published a report on Thursday which revealed that when TikTok users enter a website through a link on the app, TikTok inserts code that allow TikTok to monitor activity like keystrokes and what users are tapping on that site. The tracking would make it possible for TikTok to capture a user’s credit card information or password.

TikTok modify the websites to allow monitoring because the sites are opened in TikTok’s in-app browser

TikTok has the ability to monitor that activity because of modifications it makes to websites using the company’s in-app browser, which is part of the app itself. When people tap on TikTok ads or visit links on a creator’s profile, the app doesn’t open the page with normal browsers like Safari or Chrome. Instead it defaults to a TikTok-made in-app browser that can rewrite parts of web pages.

TikTok can track this activity by injecting lines of the programming language JavaScript into the websites visited within the app, creating new commands that alert TikTok to what people are doing in those websites.

This was an active choice the company made. This is a non-trivial engineering task. This does not happen by mistake or randomly. This includes adding tracking code (like inputs, text selections, taps, etc.), injecting external JavaScript files, as well as creating new HTML elements. They also fetch website metadata, this is harmless.

Felix Krause – Researcher in Vienna

Tiktok strongly pushed back at the idea that it is tracking users in its in-app browser. The company confirmed those features exist in the code, but said TikTok is not using them.

TikTok does it to provide an optimal user experience

These findings are incorrect and misleading. We do not collect keystroke or text inputs through this code, the JavaScript code is used only used for debugging, troubleshooting, and performance monitoring. Like other platforms, we use an in-app browser code to provide an optimal user experience to check how quickly a page loads or whether it crashes. The report doesn’t say TikTok is actually recording and using this data.

Maureen Shanahan – TikTok Spokesperson

The company said the JavaScript code is part of a third-party software development kit, or SDK, a set of tools used to build or maintain apps. The SDK includes features the app does not use, the company said. TikTok did not answer questions about the SDK, or what third party makes it.

While Krause’s research reveals the code companies including TikTok and Facebook parent Meta are injecting into websites from their in-app browsers, the research does not show that these companies are actually using that code to collect data, send it to their servers or share it with third parties. Nor does the tool reveal if any of the activity is tied to a user’s identity or profile. Even though Krause was able to identify a few specific examples of what the apps can track (like TikTok’s ability to monitor keystrokes), he said his list isn’t exhaustive and the companies could be monitoring more.

TikTok is the only app that can access user’s all details

Krause tested seven iPhone apps that use in-app browsers: TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. (He did not test the versions for Android, Google’s mobile operating system.)

Of the seven apps Krause tested, TikTok is the only one that appears to monitor keystrokes, he said, and seemed to be monitoring more activity than the rest. Like TikTok, Instagram and Facebook both track every tap on a website. Those two apps also monitor when people highlight text on websites.