Facebook, Instagram and TikTok’s iPhone apps are capable of tracking everything users type in their in-app internet browsers, according to warnings from a security researcher.
All three popular social media apps say they don’t track sensitive user data like credit card information, passwords and addresses that is entered through in-app browsers — but it would be extremely easy for them to do so if they wanted to, researcher and developer Felix Krause wrote this week.
For example, imagine an Instagram user’s friend sent them a direct message with a link to a product for sale.
If the Instagram user clicks on the link using their iPhone, it will open within the in-app browser rather than redirecting to Safari. If the user then decides they want to purchase the product, they will have to enter their credit card information, shipping address and other details — all of which can be tracked by Instagram, according to Krause. The same process would occur if they were buying a product from an Instagram advertisement.
Meta’s Facebook and Instagram are capable of tracking users’ keystrokes, Krause said.
The new research comes as regulators have raised privacy and security concerns about Chinese-owned TikTok.
In June, Federal Communications Commission commissioner Brendan Carr called on Apple and Google to remove the app from their app stores, calling the app a “sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data.”
“TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints… and voiceprints,” Carr wrote in an open letter.
“Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote. “I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing.”
Similarly, Krause said that TikTok’s iOS app “subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app.”
TikTok can also track users’ keystrokes, Krause said. GC Images
“This can include passwords, credit card information and other sensitive user data,” he said.
To avoid potential for tracking, Krause recommends users open links outside the Instagram, Facebook and TikTok apps and use the iPhone’s standard Safari browser.
In a statement to The Post, a TikTok spokesperson accused Krause of making “incorrect and misleading” statements about the app.
A Meta spokesperson said, “We use in-app browsers to enable safe, convenient, and reliable experiences, such as making sure auto-fill populates properly or preventing people from being redirected to malicious sites. Adding any of these kinds of features requires additional code. We have carefully designed these experiences to respect users’ privacy choices, including how data may be used for ads.”