TikTok’s in-app browser can monitor clicks and keystrokes: Finder
Security concerns over TikTok, the globally popular short-video sharing app, have come to light as a hacker claims to have broken into its database and accessed user information.
On September 3, a user by the name of AgainstTheWest claimed to have hacked TikTok and WeChat on the Breach Forums message board, a hacker forum. The poser said 790 gigabytes of user information and 2.05 billion records had been downloaded from the database, but he hadn’t decided whether to sell it or make it public yet. The hacker also posted two links to sample data and a video of a set of database tables.
TikTok denied that its database was breached, saying its security team investigated and found no evidence of a security breach. However, doubts remain as internet experts assess the authenticity of the rumors.
Similarly, on August 31, a Microsoft research team announced that they discovered a serious vulnerability in TikTok’s Android app that could allow an attacker to compromise user accounts with a single click. An attacker could use the vulnerability to hijack an account without the user’s knowledge, then access and modify the user’s TikTok profile and sensitive information, such as making private videos public, sending messages and uploading videos to the username.
TikTok has two versions of the Android app. In its review of the TikTok vulnerability, Microsoft’s research team determined that both apps could be affected. Over 1.5 million TikTok apps for Android have been installed to date.
TikTok responded that the vulnerability had been patched after Microsoft notified the company.
However, Felix Krause, creator of fastlane, a company acquired by Google, published a study from TikTok on August 18, which showed that when a TikTok user accesses a website through a link on the app, TikTok inserts code to monitor most user activity on external sites, including keystrokes (text input) and anything clicked on the page. Such tracking would allow TikTok to capture users’ credit card information and passwords.
The report also states that TikTok was able to monitor because it used an in-app browser, which is part of the app, to make changes to websites. When people click on TikTok ads or visit a creator’s profile, the app doesn’t work with regular browsers like Safari or Chrome. Instead, it defaults to using the TikTok app’s built-in browser to rewrite certain web pages.
Of the seven iPhone apps Krause tested that used an in-app browser (he didn’t test the Android system), TikTok was the only one that could monitor keystrokes. It also seemed to monitor more activity than any other app.
In response to the findings, TikTok acknowledged that the features exist in code, but argued that the company does not use them to track users, but only for debugging, troubleshooting, and performance monitoring, among other things.
TikTok’s ties to the CCP
TikTok now has over a billion monthly active users, mostly young people. However, the social media platform has come under scrutiny due to its ownership by Beijing-based Chinese company ByteDance and a reported link to the Chinese Communist Party (CCP).
TikTok has promised for years that US user information would be stored in the US, not China. However, according to leaked recordings of 80 internal TikTok meetings obtained by BuzzFeedUS users’ non-public data was repeatedly accessed from China.
On August 12, the Cyberspace Administration of China (CAC), the country’s top internet regulator, issued a notice, publicly asking 30 Chinese internet companies to submit data on their archiving algorithms. Bytedance was one of them.
The algorithms are adapted to the preferences of each user thanks to artificial intelligence. Zhu Wei, an associate professor at China University of Political Science and Law, said the algorithm is not just a calculation program, but more related to personal information and big data.
The ACC’s unprecedented decision has sounded alarm bells around the world. Clare O’Neil, Australia’s home affairs minister and cybersecurity minister, has ordered a review of TikTok’s data collection.
“Having millions of Australians access an app where the use of their data is questionable is truly a modern security challenge for the country,” O’Neil told the Sydney Morning Herald in early September.
There are currently 7.38 million adult users in Australia, according to Digital 2022a report published by internet data research company WE ARE SOCIAL.
The Biden administration could also take steps to curb investment in Chinese tech companies, perhaps going it alone on TikTok, people familiar with the matter Told Bloomberg.
TikTok users in the US now number around 80 million, or about a quarter of the US population.