Tiktok, Instagram, Facebook: their built-in browsers on mobile can monitor all your web activity

The browsers integrated into certain social network applications could collect a multitude of data through JavaScript code injected directly into web pages. This code would contain functions to collect all interactions, including passwords and credit card numbers.

The browsers integrated into apps from some social networks can log all of your activity, including typed text, according to cybersecurity researcher Felix Kraus. It is in any case true iOSbut it did not scan Android versions of apps.

Users of TikTokInstagram, Facebook and Messenger are all exposed to surveillance when they open a link in these applications without going through an external browser. Each has its own built-in browser, which injects JavaScript code into viewed pages without the consent of either the user or the website.

A browser that behaves like a keylogger

Although it cannot say what data is actually collected, the JavaScript code contains all the functions necessary to record all interactions with the pages consulted, including the text entered (passwords, credit card numbers, etc.) , open links and even screenshots. It is the very principle of a keylogger.

Meta, Facebook parent companyas well as TikTok both replied that the code in question did not record any personal data. In the case of Meta, it would primarily serve to allow not to be tracked by Meta pixel (equivalent to Google Analytics) when the user objects. On his side, TikTok indicated that his code is used for diagnostic and performance monitoring, such as page load times. However, it is difficult to imagine that these companies would ignore data collection when the code already contains all the necessary functions. In any case, there is a simple solution to avoid any surveillance risk. Always opt to open links in the default browser of the mobileand not in that of the application.