If you are an avid TikTok user, you should probably pump the brakes as the app is undergoing another security-related issue. According to Felix Krause, developer of InAppBrowser.com, popular social media apps like TikTok, Instagram, and Facebook are using JavaScript that allows them to record all the movements made by the users on their in-app keyboards including collecting passwords, addresses, credit card data, and much more without user’s consent.
TikTok’s in-app keyboard records user’s movements
According to the reports, Meta-owned Facebook, Facebook Messenger, Instagram, and Chinese ByteDance-owned TikTok all offer an in-app qwerty keyboard. Thanks to JavaScript found on these apps, these keyboards can record the user’s keystrokes thereby igniting the concern related to the user’s security and privacy. The report further mentions that although there’s a way to change keyboard settings on Meta-owned apps, the same cannot be said for TikTok as it doesn’t allow changing its in-app keyboard to a default one.
Brendan Carr, an FCC commissioner, has tagged TikTok as a sophisticated surveillance tool capable of harvesting an exhaustive amount of user data that is relayed to Beijing. It is one of the reasons why TikTok is banned in India and a few other countries.
Felix further adds that TikTok’s in-app keyboard can record every keystroke performed within the app while visiting third-party websites. Other apps do offer to go to a default web browser to access a website, TikTok doesn’t allow the same which tends to cause more damage. Although the script is not working at the moment, it is technically made to allow monitoring of all user interactions including screenshots, text selections, links and buttons tapped, and inputs including credit card numbers, addresses, and passwords among others which adds up.
When asked, Meta (which owns both Facebook and Instagram) responded that they track user movements to use data for targeted advertising and measurement purposes. Additionally, they mentioned that the users have already consented om being tracked.
TikTok took it to the internet stating that the said reports are misleading as it doesn’t collect inputs or keystrokes. The code, which exists, is simply there for debugging, troubleshooting, and performance monitoring. This may not go well with users as TikTok has long been accused of routing crucial data to its Chinese servers thereby flagging potential surveillance which is why it got banned in India.
