TikTok instagram
© SOPA Images/LightRocket via GettTikTok and Meta's Instagram are capable of tracking everything you type on their in-app browsers, according to a privacy researcher.
Facebook, Instagram and TikTok's iPhone apps are capable of tracking everything users type in their in-app internet browsers, according to warnings from a security researcher.

All three popular social media apps say they don't track sensitive user data like credit card information, passwords and addresses that is entered through in-app browsers — but it would be extremely easy for them to do so if they wanted to, researcher and developer Felix Krause wrote this week.

For example, imagine an Instagram user's friend sent them a direct message with a link to a product for sale.

If the Instagram user clicks on the link using their iPhone, it will open within the in-app browser rather than redirecting to Safari. If the user then decides they want to purchase the product, they will have to enter their credit card information, shipping address and other details — all of which can be tracked by Instagram, according to Krause. The same process would occur if they were buying a product from an Instagram advertisement.

meta facebook
© Bloomberg via Getty ImagesMeta’s Facebook and Instagram are capable of tracking users’ keystrokes, Krause said.
The new research comes as regulators have raised privacy and security concerns about Chinese-owned TikTok.

In June, Federal Communications Commission commissioner Brendan Carr called on Apple and Google to remove the app from their app stores, calling the app a "sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data."

"TikTok collects everything from search and browsing histories to keystroke patterns and biometric identifiers, including faceprints... and voiceprints," Carr wrote in an open letter.

According to Krause, Instagram "injects Javascript code into every website shown" that gives them potential access to all that user data and more — though there's no evidence Instagram, Facebook or TikTok are actually recording or saving such data.

"Even though the injected script doesn't currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," Krause wrote. "I didn't prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing."

Similarly, Krause said that TikTok's iOS app "subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app."

TikTok
© GC ImagesTikTok can also track users’ keystrokes, Krause said.
"This can include passwords, credit card information and other sensitive user data," he said.

To avoid potential for tracking, Krause recommends users open links outside the Instagram, Facebook and TikTok apps and use the iPhone's standard Safari browser.

In a statement to The Post, a TikTok spokesperson accused Krause of making "incorrect and misleading" statements about the app.

"The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects," the spokesperson said. "Contrary to the report's claims, we do not collect keystroke or text inputs through this code, which is solely used for debugging, troubleshooting, and performance monitoring."

A Meta spokesperson said, "We use in-app browsers to enable safe, convenient, and reliable experiences, such as making sure auto-fill populates properly or preventing people from being redirected to malicious sites. Adding any of these kinds of features requires additional code. We have carefully designed these experiences to respect users' privacy choices, including how data may be used for ads."