TikTok is very much the social media platform of the moment. The app has been downloaded over 2.6 billion times worldwide and has more than 1 billion monthly active users. But despite its popularity, there have long been questions relating to user security, particularly when it comes to the company’s ownership.

TikTok and China

TikTok’s parent company ByteDance is headquartered in Beijing, China, which means it operates under the jurisdiction of the ruling Chinese Communist Party (CCP). ByteDance has long denied that it has or ever would share data for non-China residents with the CCP, but the possibility it could be compelled to do so has led to vocal concerns in many other corners of the world. Indeed, the US military has a blanket ban on the installation of TikTok on government devices2, and the app is prohibited from all app stores in India.

It’s worth repeating that, at the time of writing, there is scant evidence TikTok or its parent company have ever knowingly shared user information with third parties, but there are still reasons to remain on guard. For example, recent reporting has shown approximately 300 ByteDance and TikTok employees have previously worked for Chinese state media outlets – many of which have been cited by the US State Department as “foreign government functionaries.” With this degree of crossover between the CCP and TikTok, it’s perhaps inevitable suspicions of the social company will continue for some time yet.

A History of Security Concerns

Last year, TikTok said it would pay $92 million to settle multiple US lawsuits that alleged the company was capturing personal data via several methods, including facial recognition. For its part, TikTok said it did not agree with the assertions made but had decided the payment was necessary to end the litigation. Whatever the truth of that incident, it would not be the last time TikTok would have to face tough questions about its responsibilities as a custodian of user information.

Keylogging threats

TikTok’s handling of user data has recently come under scrutiny after a security expert examined the platform’s in-app browser. As a primer, TikTok – like many social apps – allows users to share links to external websites. However, unlike Instagram or Snapchat, TikTok does not allow users to open links via browsers such as Safari or Chrome – they can only be accessed from the built-in browser. From a usability standpoint, this makes sense: users can more easily get back to their video feed when they’re done with the website. But from a privacy perspective, there could be inherent risks for the user.

In an August 2022 blog post, researcher Felix Krause discussed how TikTok’s browser injects JavaScript code into the websites it loads up. Krause says such a process can be used to insert keylogging tools – software that lets an interloper capture everything that a user types. The security expert also notes the JavaScript code also lets TikTok see all links and images that are tapped on a third-party website.

Krause’s post is not conclusive proof of TikTok logging user information via other websites. And for its part, TikTok has acknowledged the existence of such JavaScript, claiming it is only used for “debugging, troubleshooting and performance monitoring.” But as Krause illustrates, the potential to abuse the code is still there, even if it’s not being exploited.

Managing the TikTok Risks

As TikTok’s user base continues to flourish, the risks to its account-holders only grow. After all, more data-rich profiles mean more incentives for hackers or other nefarious actors. So what can users do about it?

SignalAlert was built to monitor the entire internet, scouring the dark web, social platforms, and more, seeking out critical signals as they appear online. Real-time data is channeled through iThreat’s rules engine, which sifts through the digital noise to identify and isolate potential threats. Leveraging these discoveries, you can more quickly mitigate risks to people, content, and intellectual property.

When sensitive information is uncovered, iThreat’s managed response tools can help you deal with the problem. With 25 years of experience in the managed threat response arena, iThreat has worked with hundreds of clients, helping them reduce potential harm.

As TikTok has shown, social platforms can be immensely fun and enormously entertaining. However, we rarely get a glimpse of what is going on behind the scenes, and when we do, it can lead us to question how safe our information really is. And while TikTok is now very much part of the culture in which we live in, iThreat SignalAlert ensures users don’t have to be unnecessarily exposed should there be a data breach fallout.

Get the latest news from iThreat to your inbox

Enter your email below to stay up-to-date on the latest threat intelligence news and resources.

    Email Address
    About iThreat

    About iThreat

    Founded in 1997, iThreat has assisted hundreds of clients with thousands of internet monitoring and investigations, including multiple successful multinational law enforcement operations.

    Learn More
    About iThreat