TikTok’s In-App Browser Can Track User Passwords and Credit Card Information

Researchers have discovered code in TikTok that allows the app to monitor all user actions within its built-in browser, including keystrokes. Experts believe this feature was intentionally developed by the service.

When a TikTok user clicks a link within the app, TikTok uses code that can track nearly all activity on external web pages, according to research by Felix Krause. Developers can even see key combinations, which means TikTok could potentially collect passwords and credit card details.

Instead of opening links in a standard browser, TikTok defaults to its own in-app browser, which copies the information displayed on the page. TikTok can monitor user actions by injecting JavaScript code into web pages, creating new commands that notify TikTok about what visitors are doing on those pages.

Felix Krause, one of the researchers, says this was a deliberate choice by TikTok. “This is not a trivial technical task. It doesn’t happen by mistake or accident,” Krause explained. He is the founder of Fastlane, an app testing and deployment service acquired by Google five years ago.

TikTok, for its part, claims it does not track users in its browser. The company confirmed the presence of such functions in its code but stated that it does not use them. “We use the in-app browser for optimal user experience, just like other platforms,” TikTok’s press office said in a statement. “The JavaScript code is only used for debugging, troubleshooting, and monitoring, such as checking page load speeds.”

Researchers warn that TikTok could potentially track even more data through its in-app browser. Passwords and credit card numbers may only be the tip of the iceberg.