The problem is in the internal browser of the popular application, on iPhone. What risks does it entail?
TikTokone of the most popular mobile applications today, introduces a function in its source code to the application monitor everything users do iPhone. Even passwords and credit card details.
The issue is within the platform’s internal browser, which could allow the company to monitor everything users type while using the app, even when redirected. to third party websites.
This results in the social media app’s ability to view sensitive data such as passwords and credit card numbers, according to a security researcher who says Apple should take action to remedy the potential problem.
Felix Krause says he discovered TikTok’s ability to monitor user data through its in-app navigation feature and published his findings in a blog post on Thursday.
Krause found some code that showed that TikTok has the ability to monitor any keystroke a user makes, including when that user clicks a link that redirects you to another website.
Apple’s role
Krause says he thinks part of this problem lies with Apple, which doesn’t require apps to use its Safari browser to view external websites, though it recommends it.
The expert explained that these security problems would be solved If TikTok uses Safari instead of your own browser in the app.
“It’s the equivalent of a keylogger [un programa que graba todo lo que el usuario presiona], which is software that monitors your keystrokes. That includes passwords, credit cards, any information confidential could be extracted from that“Krause told Insider.
Although TikTok has this system in place, Krause cautions that it does not necessarily prove that they are using or even collecting this data.
TikTok’s response
TikTok vehemently denies collecting the data. During an appearance on CNN in July, TikTok Americas policy executive Michael Beckerman said that TikTok “doesn’t log what a user is typing.”
Krause counters that the power of collecting the data is still a danger. “Let’s assume TikTok’s claims are correct and they don’t collect the data. They claim they are not doing it now, but this could potentially change in the future. I’m not saying that’s going to happen, but it’s an option, and that’s a problem itself.”
In a statement to Business Insider, a TikTok spokesperson appeared to confirm the existence of the code, but rejected Krause’s report.
“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says that the JavaScript code does not mean our app is doing anything malicious, and admits that they have no way of knowing what kind of data our app collects. in-app browser”, they explained from the company.
“Contrary to claims in the report, we do not collect text input or keystrokes through this code, which is used solely for debugging, troubleshooting, and performance monitoring,” a TikTok spokesperson said.