More On: TikTok
A security researcher has warned that Facebook, Instagram, and TikTok's iPhone apps can track everything users type into their in-app internet browsers.
All three of the most popular social media apps say they don't track sensitive information like credit card numbers, passwords, and addresses that users enter through in-app browsers. However, researcher and developer Felix Krause wrote this week that it would be very easy for them to do so if they wanted to.
For example, let's say a friend of an Instagram user sent them a direct message with a link to a product for sale.
If the Instagram user clicks on the link on an iPhone, it will open in the Instagram app's browser instead of sending them to Safari. Krause says that if the user then decides to buy the product, they will have to put in their credit card information, shipping address, and other information that Instagram can track. If they were buying something from an Instagram ad, the same thing would happen.
The new research comes at a time when privacy and security concerns have been raised about TikTok, which is owned by China.
In June, Brendan Carr, a member of the Federal Communications Commission, asked Apple and Google to remove the app from their app stores. He called it a "sophisticated surveillance tool that gathers a lot of personal and sensitive data."
Carr wrote in an open letter that TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers like faceprints and voiceprints.
"Even though the injected script doesn't do this right now, running custom scripts on third-party websites lets them watch all user interactions, like every button and link clicked, text selections, screenshots, and form inputs like passwords, addresses, and credit card numbers," Krause wrote. "I didn't prove exactly what data Instagram is tracking, but I did show what kind of data they could get without you knowing."
Krause said that TikTok's iOS app "subscribes to every keystroke (text input) on third-party websites rendered inside the TikTok app."
“This can include passwords, credit card information and other sensitive user data,” he said.
Krause suggests that Instagram, Facebook, and TikTok users open links outside of the apps and use the iPhone's built-in Safari browser to avoid being tracked.
In a statement to The Post, a TikTok representative said that Krause had said things about the app that were "wrong and misleading."
A spokesperson for Meta said, "We use in-app browsers to make sure people have safe, easy, and reliable experiences. For example, we make sure auto-fill works right and stop people from being sent to malicious sites." To add any of these kinds of features, you'll need to write more code. We have carefully made these experiences so that users' privacy choices, such as how their data can be used for ads, are respected.