22/08/2022
According to Software engineer and security researcher Felix Kraus 's in-app browser can monitor your keystrokes, including passwords and credit cards. Any link clicked through TikTok will open within the app using the platform's in-app browser rather than a default browser like Chrome or Safari. The Java Script code embedded by TikTok allows the company to monitor all keystrokes ā the equivalent of a keylogger ā as well as every tap on the screen, and text inputs including passwords and credit card information. āInstalling a keylogger is obviously a huge thing⦠according to TikTok it's disabled at the moment," Mr Krause said. āThe problem is they do have the infrastructure and the systems in place to be able to track all these keystrokes⦠that on its own is a huge problem. The Vienna-based researcher is the founder of Fastlane, a testing platform for Android and iOS apps, acquired by Google five years ago. He has been looking at the risks of in-app browsers for several years, but the increased use by big tech companies spurred him to look at the code behind each platform. Last week he released a report on his findings after creating a security tool, InAppBrowser.com, for anyone to see what apps can track when using their in-app browsers. It can recognise what the apps like TikTok, Instagram and Meta can track but it is unable to tell us what data each app chooses to collect, transfer or use. Although InApBrowser.com finds commands embedded in the code, the full extent of what apps implement on third-party websites is unknown, partially due to an iOS 14.3 update in December 2020, allowing some JavaScript commands to be undetectable. thecybersecurityhub.com