Open Now
Open Now
Watch now

Meta and TikTok can see everything you type on browsers inside their apps

A security researcher has warned that Facebook, Instagram, and TikTok's iPhone apps can track everything users type into their in-app internet browsers.

All three of the most popular social media apps say they don't track sensitive information like credit card numbers, passwords, and addresses that users enter through in-app browsers. However, researcher and developer Felix Krause wrote this week that it would be very easy for them to do so if they wanted to.

For example, let's say a friend of an Instagram user sent them a direct message with a link to a product for sale.

If the Instagram user clicks on the link on an iPhone, it will open in the Instagram app's browser instead of sending them to Safari. Krause says that if the user then decides to buy the product, they will have to put in their credit card information, shipping address, and other information that Instagram can track. If they were buying something from an Instagram ad, the same thing would happen.

Meta’s Facebook and Instagram are capable of tracking users’ keystrokes, Krause said.
Bloomberg via Getty Images

The new research comes at a time when privacy and security concerns have been raised about TikTok, which is owned by China.

In June, Brendan Carr, a member of the Federal Communications Commission, asked Apple and Google to remove the app from their app stores. He called it a "sophisticated surveillance tool that gathers a lot of personal and sensitive data."

Carr wrote in an open letter that TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers like faceprints and voiceprints.

Krause says that Instagram "injects Javascript code into every website shown," which could give them access to all of this user data and more. However, there is no evidence that Instagram, Facebook, or TikTok are actually saving or recording this information.

"Even though the injected script doesn't do this right now, running custom scripts on third-party websites lets them watch all user interactions, like every button and link clicked, text selections, screenshots, and form inputs like passwords, addresses, and credit card numbers," Krause wrote. "I didn't prove exactly what data Instagram is tracking, but I did show what kind of data they could get without you knowing."

Krause said that TikTok's iOS app "subscribes to every keystroke (text input) on third-party websites rendered inside the TikTok app."

TikTok can also track users’ keystrokes, Krause said.
GC Images

“This can include passwords, credit card information and other sensitive user data,” he said.

Krause suggests that Instagram, Facebook, and TikTok users open links outside of the apps and use the iPhone's built-in Safari browser to avoid being tracked.

In a statement to The Post, a TikTok representative said that Krause had said things about the app that were "wrong and misleading."

"The researcher says that the JavaScript code doesn't mean that our app is doing anything bad, and they admit that they have no way of knowing what kind of data our in-app browser collects," the spokesperson said. "Contrary to what the report says, we do not use this code to collect keystrokes or text inputs. It is only used for debugging, troubleshooting, and performance monitoring."

A spokesperson for Meta said, "We use in-app browsers to make sure people have safe, easy, and reliable experiences. For example, we make sure auto-fill works right and stop people from being sent to malicious sites." To add any of these kinds of features, you'll need to write more code. We have carefully made these experiences so that users' privacy choices, such as how their data can be used for ads, are respected.


Follow us on Google News

Filed under