TikTok’s In-App Browser Can Monitor Clicks and Keystrokes: Researcher

Security concerns about TikTok, the globally popular short video sharing app have come to light as a hacker claims to have broken into its database and accessed user information.

On Sept. 3, a user with the name AgainstTheWest claimed to have hacked TikTok and WeChat on the Breach Forums message board, a hacker forum. The poser said 790 gigabytes of user information and 2.05 billion records had been downloaded from the database, but he had not yet decided whether to sell it or release it to the public. The hacker also posted two links to data samples and a video of a set of database tables.

TikTok denied that its database had been breached, saying its security team had investigated and found no evidence of a security breach. However, doubts remain as internet experts assess the authenticity of the rumors.

Similarly, on Aug. 31, a Microsoft research team announced that it had found a serious vulnerability in TikTok’s Android app that could allow an attacker to compromise user accounts with a single click. An attacker could use the vulnerability to hijack an account without the user’s knowledge, then access and modify the user’s TikTok profile and sensitive information, such as making private videos public, sending messages, and uploading videos on the user’s behalf.

TikTok has two versions of the Android app. In its review of the TikTok vulnerability, the Microsoft research team determined that both apps could be affected. More than 1.5 million TikTok for Android apps have been installed to date.

TikTok responded that the vulnerability had been fixed after Microsoft informed the company.

However, Felix Krause, creator of fastlane, a company acquired by Google, published a study of TikTok on Aug. 18, which showed that when a TikTok user accesses a website through a link on the app, TikTok inserts code to monitor most of the user’s activities on external sites, including keystrokes (text input) and anything clicked on the page. Such tracking would allow TikTok to capture users’ credit card information and passwords.

The report also said TikTok was able to monitor because it used an in-app browser, which is part of the app, to make changes to websites. When people click on TikTok ads or visit a creator’s profile, the app doesn’t work with regular browsers like Safari or Chrome. Instead, it defaults to the TikTok app’s built-in browser to rewrite some web pages.

Of the seven iPhone apps Krause tested that used a built-in browser (it didn’t test Android system), TikTok was the only one that could monitor keystrokes. It also seemed to monitor more activities than any other application.

In response to the findings, TikTok acknowledged that the features exist in the code, but argued that the company did not use them for tracking users, but only for debugging, troubleshooting, and performance monitoring, among other things.

TikTok’s Ties With the CCP

TikTok now has more than 1 billion monthly active users, mostly young people. However, the social media platform has drawn scrutiny due to its ownership by the Chinese company ByteDance, located in Beijing and a reported link to the Chinese Communist Party (CCP).

TikTok has promised for years that American users’ information would be stored in the United States, not in China. However, according to leaked recordings of 80 internal TikTok meetings obtained by BuzzFeed, the non-public data of U.S. users has been repeatedly accessed from China.

On Aug. 12, the Cyberspace Administration of China (CAC), the country’s top internet regulator issued a notice, publicly requiring 30 Chinese internet companies to submit data on their archiving algorithms. Bytedance was one of them.

The algorithms are tailored to the preferences of each user through artificial intelligence. Zhu Wei, an associate professor at China University of Political Science and Law, said the algorithm is not a simple calculation program, but more connected to personal information and big data.

The unprecedented move by the CAC has raised alarms around the world. Clare O’Neil, Australia’s Home Affairs minister and cybersecurity minister has ordered a review of TikTok’s data collection.

“The fact that we’ve got millions of Australians accessing an app where the usage of their data is questionable is very much a modern security challenge for the country,” O’Neil told Sydney Morning Herald in early September.

There are currently 7.38 million adult users in Australia, according to Digital 2022, a report released by internet data research company WE ARE SOCIAL.

The Biden administration may also move to curb investment in Chinese tech companies, possibly going it alone on TikTok, people familiar with the matter told Bloomberg.

TikTok users in the United States now number about 80 million, or about one-quarter of the U.S. population.