TikTok can track how users interact with websites that they access through the app’s built-in browser, Forbes reported on Thursday.

TikTok enables users to open websites through the app interface by tapping on links and ads. The app doesn’t load websites in an external browser such as Chrome, but rather uses a built-in browser. That built-in browser can reportedly collect data about user activity in external websites.

The Forbes report is based on an analysis carried out by software researcher Felix Krause. TikTok’s built-in browser, Krause told Forbes, embeds additional JavaScript code into the websites accessed by users. The additional code reportedly enables the browser to track users’ keystrokes and taps in external websites.

“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app,” Krause elaborated in a blog post. “This can include passwords, credit card information and other sensitive user data.”

A TikTok spokesperson said in a statement to TechCrunch that the company doesn’t use its in-app browser to track users’ keystrokes and taps in websites. “The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects,” the spokesperson stated. “Contrary to the report’s claims, we do not collect keystroke or text inputs through this code.”

According to TikTok, the additional code that its in-app browser adds to websites is used solely for debugging, troubleshooting and performance monitoring. The company added that the code is part of a third-party software development kit used by its app. However, TikTok didn’t share technical details about the development kit.

The new findings about TikTok’s built-in browser come a few months after BuzzFeed reported that the data of U.S. users had been accessed by China-based employees of TikTok parent company ByteDance Ltd. Most of the data access incidents reviewed by BuzzFeed reportedly took place as part of an internal initiative designed to make U.S. users’ information inaccessible to China-based staff. As part of that initiative, TikTok earlier this year started routing all U.S. user traffic through Oracle Corp. servers located in the U.S.

In response to the new findings about TikTok’s built-in-browser, the Irish Data Protection Commission told TechCrunch that it “will be engaging with TikTok on the issue.” The regulator also plans to hold discussions with Meta Platforms Inc. about its apps’ privacy settings. Earlier this month, it was reported that the built-in browser in Meta’s Facebook and Instagram apps can track certain user interactions with external websites.

Image: TikTok