A software researcher found code on the Chinese TikTok app that appears to be spying on user keystrokes and could be used to steal credit card information, passwords and other sensitive information.
The script reportedly runs on TikTok’s in-app browser, allowing it to see what users are typing in when they open up links shared through the app.
Many social media influencers use TikTok to connect with their audiences and potentially sell them branded merchandise. For example, a TikTok user that makes cooking videos might include a URL on their TikTok account to take users to buy their recipe books.
“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app,” Krause wrote. “This can include passwords, credit card information and other sensitive user data. We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”
Snapchat and Robinhood also do not allow the code to fetch a user’s metadata, while TikTok does.
Of the apps Krause tested, he told Forbes that TikTok is the only one that seems to monitor keystrokes and seems to be tracking more activity than the others.
“This was an active choice the company made,” Krause told Forbes. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”
Krause’s findings are just the latest in a series of concerning allegations raised against TikTok.
A Forbes report last week alleges that TikTok and ByteDance have hired 300 current or former employees of Chinese state-run media outlets. Forbes reported 15 ByteDance employees have LinkedIn information indicating they concurrently work for those Chinese media outlets.
A ByteDance spokesperson told American Military News that Forbes’ report “draws from outdated online profiles of people who never worked for state media, no longer work for our company, or work on China businesses only. Our conflict of interest policy does not allow employees to concurrently hold positions at China state media organizations.”
In June, Buzzfeed reported on internal company leaks that showed U.S. TikTok user data has been accessible by China-based TikTok employees. TikTok acknowledged non-U.S. employees could access U.S. user data, but said such access is “subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team.”
In 2019, the U.S. Army and U.S. Navy banned TikTok on government-issued devices.
In 2020, then-President Donald Trump tried to either ban TikTok in the U.S. or force the company to hand over its U.S.-based operations to a U.S. partner company. President Joe Biden overturned those Trump-era efforts.