Whenever you tap a link in TikTok, the app will open it through an in-app browser, which is a way to keep you within the app. But security researcher Felix Krause found that when you open links in TikTok's browser, it injects JavaScript into the external site so it can monitor all keyboard input and taps. But TikTok denies it's used for malicious reasons.

According to Krause, the in-app browser "subscribes" to all inputs while interacting on the site, including sensitive details like passwords and credit card information. 

"From a technical perspective, this is the equivalent of installing a keylogger on third party websites," wrote Krause, regarding the JavaScript code that TikTok injects. However, the researcher added, "just because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious."

A TikTok spokesperson acknowledged the code but said it's only used for debugging, performance monitoring, and troubleshooting to guarantee an "optimal user experience." 

Krause suggests if you want to open a site from TikTok, use your default browser instead. "Whenever you open a link from any app, see if the app offers a way to open the currently shown website in your default browser," wrote Krause. "During this analysis, every app besides TikTok offered a way to do this."

Apps like Facebook and Instagram also insert JavaScript code into external sites loaded in their in-app browsers to track user activity.

Source: 1 + 2