close
Thursday May 30, 2024

TikTok denies scraping users’ sensitive data

A developer claimed that TikTok’s iOS app contains a code allowing the company to monitor all "keystrokes"

By Web Desk
August 22, 2022
A representational image of TikToks app on a phone. — AFP/File
A representational image of TikTok's app on a phone. — AFP/File

TikTok, a short video-sharing application, has denied claims made by a developer of “scraping” its users’ password, credentials and other sensitive data through its in-app browser.

The developer alleged that TikTok’s iOS app contains a code which lets the company monitor “all keystrokes, including passwords, and all taps.”

Felix Krause — a developer who previously worked with Twitter and Google — found privacy and security issues in the past as well, as reported by Vice’s Motherboard.

Taking to his Twitter and a blog post, the developer wrote that the iPhone app of TikTok opens an in-app browser when a link within the app is opened.

He wrote that the application “injects tracking code” which is capable of monitoring all text inputs, including “passwords, and all taps” due to some JavaScript code built within the app including those on third party websites in TikTok itself.

Krause’s findings were picked up by websites of several media outlets, making it an upsetting revelation. However, Krause limited his own findings by adding that it’s difficult to know what the video-making app uses the subscription for.

“This is the equivalent of installing a keylogger on third party websites,” he wrote, citing his view from a technical perspective.

Krause, during a chat online, also said that his report “doesn’t say TikTok is actually recording and using this data.”

The developer said that he talked about the way TikTok inserts JavaScript using their in app browser which has code set to track text inputs on third party websites.

“I emphasised how I can’t talk about if and how the system is actually being used,” he said during the chat.

TikTok, however, has strongly denied the allegation. The video-sharing platform’s spokesperson, in a statement sent to Vice’s Motherboard, deemed the conclusions of the report regarding TikTok as “misleading and incorrect”.

“The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” the application’s spokeperson wrote, adding the applications do not collect “keystroke or text inputs” via this code — contrary to the report's claims.

TikTok also wrote that the code is exclusively used for “debugging, troubleshooting, and performance monitoring”.

The app uses an in-app browser like other application and denied logging keystrokes.

Zach Edwards, an independent privacy and cybersecurity researcher, has also analysed the code utilised by the video-sharing company’s iOS app.

He warned against Krause’s findings terming it “not definitive”. He did, however, agree that the JavaScript within the application “could scrape” typed information in the app.

He said that monitoring the kind of data the application sends to its servers is the only way to confirm if an app actually scrapes forms such as password form fields.

“Felix is making TikTok look worse than they are—and that’s unfortunate because they are pretty bad,” Edwards said.

Edwards, however, deemed in-app browsers to be “wildly dangerous” because they allow app to scrape sensitive data, which is why he thinks that Google and Apple should allow users to disable the feature.