Social Media: Sharing More Than What You Post

Social media is an integral part of society; TikTok, Instagram, and Facebook have become household names. Even those who do not use these platforms likely know someone who does. Social media is a powerful tool that unites people across the globe and allows users to share a little window into their lives and socialize on a grand scale. Yet, if they are not careful, users of these platforms may share much more than they think – or want. The implications can go beyond personal risk when accessing social media apps in a professional environment.

To use these platforms, users are often encouraged to enter personal information with the understanding that companies managing the platforms will secure their data. In addition to information users provide to these platforms, the social media apps may collect additional data unbeknownst to the user.

Platform Accesses

While the content users share on social media timelines can reveal a lot of information about their lives, simply interacting with a social media platform can unknowingly create avenues for platforms to record information about individuals.

On August 18, Felix Krause, a Vienna-based software researcher, published a report revealing that TikTok is capable of injecting JavaScript code to read and record all keyboard inputs of users through its in-app browser. When a user accesses a third-party website through a link in TikTok, the app logs every keystroke the user inputs, as well as any link, image, button, or other component a user taps on the page. Keystrokes could include credit card information, passwords, and other sensitive information. TikTok also inspects and receives details regarding any elements that a user clicks while interacting with the platform. While the exact purpose of this is unknown, it is functionally the same as installing a keylogger during a browsing session.

Krause also released a report on August 10 about Instagram and Facebook performing similar JavaScript injections whenever a user accessed their in-app browsers. Krause’s research included testing seven iPhone apps and measuring the functions of the JavaScript injections. At the conclusion of this study, TikTok was the only app that performed keylogging. While Krause’s research determined that Instagram and Facebook did not log data to the extent of TikTok, the injections made while using their browsers were still able to perform tasks like recording online purchases, scrolling behavior, tapping behavior, and injecting advertisements without either the user’s or website’s permission.

The cases of monitoring by TikTok, Instagram, and Facebook are examples of cross-site tracking, where a platform tracks user activity on third-party apps without permission. Krause noted this process does not happen accidentally because creating a keylogger is a relatively complex task. 

TikTok spokesperson Maureen Shanahan has since released a statement admitting that the company has this function on its in-app browser similar to those used on other platforms; however, TikTok only uses the JavaScript injections for debugging, troubleshooting, and performance-monitoring purposes.

Even though there are valid reasons to use an in-app browser, such as to complete specific transactions in a financial app like Venmo, privacy concerns develop when in-app browsers are used to visit third-party websites.

What Can Be Done?

While these platforms claim these functions are not being used to spy on in-app browsing sessions, the ability to track activity without user knowledge is still an alarming implication. There are ways, however, that users can browse via social media more securely.

Once a user opens an in-app browsing session in an application such as Facebook and Instagram, they will have the option to open a browsing session in a separate web browser using the “Open in Browser” feature. This will redirect the user to a browser on the device that the app will not track. However, TikTok does not contain this feature for its in-app browsing sessions. For users who want to be more secure on TikTok but continue to click links via the app, they will need to take an extra step. When accessing a website link through TikTok, a user can copy the link and paste it in a web browser of their choice. This will keep TikTok from injecting JavaScript into their browsing sessions. 

Social media is an important part of daily life for many users, but it is even more important to know how to stay secure and limit privacy concerns while using these platforms. Even if a user is careful with their posts on social media, their data could still be at risk through other covert means. Beyond personal risk for individuals, businesses and organizations are advised to weigh the risks these and similar apps introduce and consider restricting their usage in sensitive environments. It is vital to stay educated on the abilities, accesses, and permissions of these platforms, what data they collect, and what they do with that data.

Resources:

TikTok

• Privacy and Security on TikTok
• Guide to Accessing TikTok’s Security & Privacy Settings

Instagram

• Keeping Instagram a Safe and Supportive Place
• Guide to Accessing Instagram’s Security & Privacy Settings

Facebook

• Protecting Privacy and Security
• Guide to Accessing Facebook’s Security & Privacy Settings