Krause says this is the equivalent of installing a keylogger on third-party websites. However, TikTok has reportedly denied that the code is used for malicious purposes.
Krause says TikTok’s in-app browser “subscribes” to all keyboard input while a user interacts with a website, including sensitive personal and financial information, like passwords and credit card information.
Krause said users should switch to viewing a given link in the platform’s default browser if possible, such as Safari on the iPhone and iPad.
“Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser,” wrote Krause. “During this analysis, every app besides TikTok offered a way to do this.”