Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen Coje_He for the clue delivery! CTOnews.com, August 21, according to security researcher Felix Krause, TikTok's custom App on iOS injects JavaScript code into external websites, allowing TikTok to monitor "all keyboard inputs and clicks" as users interact with a given site, but TikTok reportedly denies that the code was used for malicious behavior.

Krause said that when users interact with external websites, browsers in TikTok App "subscribe" to all keyboard input, including any sensitive details such as passwords and credit card information, as well as every click on the screen.

"from a technical point of view, this is the equivalent of installing a keylogger on a third-party website," Krause wrote of TikTok-injected JavaScript code. However, the researchers added, "just because the app injects JavaScript into an external website doesn't mean the app is doing anything malicious."

In a statement shared with Forbes, a TikTok spokesman acknowledged the problematic JavaScript code, but said it was only used for debugging, troubleshooting and performance monitoring to ensure "the best user experience."

"as with other platforms, we use browsers within App to provide the best user experience, but the Javascript code in question is only used for debugging, troubleshooting, and performance monitoring-such as checking page loading speed or crashing."

Krause said that users who want to protect themselves from any potentially malicious use of browser JavaScript code in App should switch to using the platform's default browser to view a given link, such as Safari on iPhone and iPad, whenever possible.

According to Krause, Facebook and Instagram are two other problematic applications that insert JavaScript code into external Web sites loaded in browsers within App, enabling applications to track user activity. A spokesman for Facebook and Meta, the parent company of Instagram, said in a tweet that the company "intends to develop this code to respect people's application tracking transparency (ATT) choices on our platform." "it has been revealed that Meta Instagram has violated Apple's iOS privacy policy by tracking users' network activities through browsers in App."

Krause says he has created a simple tool that allows anyone to check whether browsers in App are injecting JavaScript code when rendering the site. The researchers say users simply open the application they want to analyze, share the address InAppBrowser.com somewhere within the application (such as sending a message directly to another person), click on the link within the application, and read the details of the report displayed in the-app browser.

Apple didn't immediately respond to a request for comment.

A spokesman for TikTok further stated that

"the report's conclusions about TikTok are incorrect and misleading. The researchers make it clear that JavaScript code does not mean that our application is doing any malicious behavior, and admit that they do not know what kind of data our browsers collect in our application. We do not collect keystrokes or text input through this code, which is only used for debugging, troubleshooting and performance monitoring."

According to a spokesman for TikTok, the JavaScript code is part of the software development kit (SDK) that TikTok is using, while the "keypress" and "keydown" features mentioned by Krause are common inputs that TikTok does not use for keystroke logging.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.