TikTok Says, No, It Isn't Stealing Your Passwords

A developer warned that TikTok’s iPhone app could scrape passwords and other sensitive data with its in-app browser. But there is no evidence the app is doing that.
TikTok logo displayed on a smartphone.
Image: Avishek Das/SOPA Images/LightRocket via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

On Thursday, a developer claimed that TikTok’s app for iOS contains code that could allow the company to monitor “all keystrokes, including passwords, and all taps.”

In a Twitter thread and in a blog post, Felix Krause, a developer who previously worked at Google and Twitter and who has found security and privacy issues in the past, wrote that TikTok’s iPhone app opens an in-app browser whenever you open a link within the app. Thanks to some JavaScript code included in that in-app browser, Krause warns, TikTok “subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data.”


His findings were reported by several websites, which led with this potentially startling revelation. But Krause himself hedged his own findings, writing: “We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites.”

In an online chat, Krause said that his report “doesn’t say TikTok is actually recording and using this data. I talked about how TikTok injects JavaScript through their in app browser that has code in place to track keystroke happening on third party websites. I emphasized how I can’t talk about if and how the system is actually being used.”

TikTok strongly denied the accusation. In a statement sent via email to Motherboard, a company spokesperson wrote: “The report's conclusions about TikTok are incorrect and misleading. The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects. Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring.”


Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

According to the spokesperson, TikTok uses an in-app browser like many other apps and it does not log keystrokes.

Zach Edwards, an independent cybersecurity and privacy researcher, who analyzed the code used by TikTok’s iOS app, also cautioned that Krause’s findings are not definitive. While he agreed that the JavaScript inside TikTok’s app “could scrape” information typed within the app, Edwards said that whether an app actually scrapes forms—such as password form fields—can only be confirmed by monitoring what data the app sends to its servers.

“Felix is making TikTok look worse than they are—and that’s unfortunate because they are pretty bad,” he said. 

Still, Edwards said that in-app browsers are “wildly dangerous” because theoretically they give the apps the ability to scrape sensitive information. That's why he thinks that Apple and Google should give users a chance to disable them. 

Joseph Cox contributed reporting.

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.