China’s TikTok spies on user keystrokes; can track passwords, personal data: report

A software researcher found code on the Chinese TikTok app that appears to be spying on user keystrokes and could be used to steal credit card information, passwords and other sensitive information.

BREAKING: Biden letting Iran’s President into US despite Pompeo assassination plot

Last week, Austria-based software researcher Felix Krause published a report documenting how different apps inject malicious JavaScript code into third-party websites that allow them to log keystrokes. Krause found that the popular video-sharing app TikTok, which is owned by the Chinese company ByteDance, uses this malicious code.

The script reportedly runs on TikTok’s in-app browser, allowing it to see what users are typing in when they open up links shared through the app.

Many social media influencers use TikTok to connect with their audiences and potentially sell them branded merchandise. For example, a TikTok user that makes cooking videos might include a URL on their TikTok account to take users to buy their recipe books.

As the JavaScript code runs in the background it could log the keystrokes as a user enters their credit card information to make a purchase.

“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app,” Krause wrote. “This can include passwords, credit card information and other sensitive user data. We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”

While Krause found that apps like Amazon, Snapchat, Facebook, Instagram and the investment app Robinhood also use this JavaScript, Krause said those other apps provide an option for users to open links in the user’s default web browser. TikTok, by contrast, runs all links inside it’s in-app browser.

Snapchat and Robinhood also do not allow the code to fetch a user’s metadata, while TikTok does.

Of the apps Krause tested, he told Forbes that TikTok is the only one that seems to monitor keystrokes and seems to be tracking more activity than the others.

“This was an active choice the company made,” Krause told Forbes. “This is a non-trivial engineering task. This does not happen by mistake or randomly.”

In a statement to Forbes, TikTok spokesperson Maureen Shanahan acknowledged it uses the JavaScript code, but said it’s only to monitor the performance of its in-app browser.

“Like other platforms, we use an in-app browser to provide an optimal user experience,” Shanahan said. “But the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience — like checking how quickly a page loads or whether it crashes.”

Krause’s findings are just the latest in a series of concerning allegations raised against TikTok.

A Forbes report last week alleges that TikTok and ByteDance have hired 300 current or former employees of Chinese state-run media outlets. Forbes reported 15 ByteDance employees have LinkedIn information indicating they concurrently work for those Chinese media outlets.

A ByteDance spokesperson told American Military News that Forbes’ report “draws from outdated online profiles of people who never worked for state media, no longer work for our company, or work on China businesses only. Our conflict of interest policy does not allow employees to concurrently hold positions at China state media organizations.”

In June, Buzzfeed reported on internal company leaks that showed U.S. TikTok user data has been accessible by China-based TikTok employees. TikTok acknowledged non-U.S. employees could access U.S. user data, but said such access is “subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team.”

In 2019, the U.S. Army and U.S. Navy banned TikTok on government-issued devices.

In 2020, then-President Donald Trump tried to either ban TikTok in the U.S. or force the company to hand over its U.S.-based operations to a U.S. partner company. President Joe Biden overturned those Trump-era efforts.

TK

Source: American Military News