Track shipments

Meta and TikTok can track everything you type on built-in browsers: Finder

iPhone apps from Facebook, Instagram and TikTok are able to track everything users type in their built-in internet browsers, a security researcher warns.

The three popular social media apps say they don’t track sensitive user data such as credit card information, passwords and addresses that are entered through in-app browsers – but they do. would be extremely easy to do if they wanted to, researcher and developer Felix Krause wrote this week.

For example, imagine that an Instagram user’s friend sends him a direct message with a link to a product for sale.

If the Instagram user clicks on the link using their iPhone, it will open in the in-app browser rather than being redirected to Safari. If the user then decides to purchase the product, they will need to enter their credit card information, shipping address and other details, all of which can be tracked by Instagram, according to Krause. The same process would happen if they bought a product from an Instagram ad.

Meta’s Facebook and Instagram are able to track user keystrokes, Krause said.
Bloomberg via Getty Images

The new research comes as regulators have raised privacy and security concerns over Chinese-owned TikTok.

In June, Federal Communications Commission Commissioner Brendan Carr called on Apple and Google to remove the app from their app stores, calling the app “a sophisticated surveillance tool that collects large amounts of data personal and sensitive.

“TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints…and voiceprints,” Carr wrote in an open letter.

According to Krause, Instagram “injects Javascript code into every website viewed”, giving them potential access to all of this user data and more – although there’s no evidence that Instagram, Facebook or TikTok are logging or actually save this data.

“Even though the injected script currently does not, running custom scripts on third-party websites allows them to monitor all user interactions, such as every button and link tapped, text selections, screenshots , along with all form inputs, like passwords, addresses, and credit card numbers,” Krause wrote. “I haven’t proven the exact data Instagram tracks, but I wanted to show the type of data they might get without you knowing.”

Similarly, Krause said TikTok’s iOS app “subscribes to every keystroke (text entries) occurring on third-party websites rendered in the TikTok app.”

TikTok can also track user keystrokes, Krause said.
CG pictures

“This may include passwords, credit card information and other sensitive user data,” he said.

To avoid tracking risk, Krause recommends users open links outside of Instagram, Facebook, and TikTok apps and use the standard iPhone Safari browser.

In a statement to The Post, a TikTok spokesperson accused Krause of making “incorrect and misleading” statements about the app.

“The researcher specifically says that the JavaScript code does not mean our app is doing anything malicious, and admits that they have no way of knowing what kind of data our in-app browser is collecting,” said said the spokesperson. “Contrary to the report’s claims, we do not collect keystrokes or text input through this code, which is only used for debugging, troubleshooting, and performance monitoring.”

A Meta spokesperson said, “We use in-app browsers to enable safe, convenient, and reliable experiences, like making sure autofill fills in correctly or preventing people from being redirected to malicious websites. Adding any of these types of functionality requires additional code. We’ve carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads. »