You may not be the only one looking at your screen when you're on TikTok

Using the web browser in TikTok? You may want to think twice about entering any sensitive information in there, because the app can track everything you type (including credit card numbers and passwords), according to new security research

Why it matters: The findings will likely add to growing concerns that TikTok, which is owned by China-based ByteDance, poses a security risk to Western states. 

  • American officials turned up the heat on TikTok earlier this year after a BuzzFeed report found that US user data had been repeatedly accessed in China.

Catch up: The latest research from privacy researcher Felix Krause found that TikTok embeds code for monitoring keystrokes inside the web browser that pops up when you click on a link inside the app.

  • “When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input,” Krause found. 

TikTok acknowledged that the code exists, but said it was used only for troubleshooting and denied that it collected or stored keystroke data.

  • Other apps, including Facebook and Instagram, also use code to monitor things like what pages people visit and links they click, but they do not track each character typed by users.

Zoom out: Tracking what you type isn’t the only thing about TikTok that’s spooking Western security officials these days. Oracle recently began an independent review of the app’s algorithm, part of an effort from ByteDance to show the US government that its content recommendations are not influenced by the Chinese Communist Party.

Bottom line: It may be true that TikTok is not doing anything malicious right now, but that’s unlikely to satisfy Western governments who fear that the app’s powerful capabilities could be weaponized in the event of a conflict with China.