body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2022 Twitter, Inc.

Don’t miss what’s happening

People on Twitter are the first to know.

Thread

Conversation

New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app browser

TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps. krausefx.com/blog/announcin

8:59 PM · Aug 18, 2022Tweetbot for Mac

Replying to

InAppBrowser.com - a new tool I used to investigate the in-app browsers of apps (that use them) to look for any external JavaScript code being injected.

17

542

2,034

When opening a website from within the TikTok iOS app, they inject code that can observe every keyboard input (which may include credit card details, passwords or other sensitive information) TikTok also has code to observe all taps, like clicking on any buttons or links.

46

2,535

3,742

Continuing to analyse the Instagram iOS app, I found something new: Besides injecting pcm.js (as covered last week), Instagram also injects JavaScript code to observe all taps happening inside their in-app browser, like clicking on buttons, links or images.

9

534

1,478

As of iOS 14.3, apps can easily hide their JavaScript activities from websites using WKContentWorld. Hence, it becomes more important than ever to find a solution to end the use of custom in-app browsers for showing third party content.

4

209

1,222

Apps that use the recommended SFSafariViewController approach, don’t have any of those problems. Even with the WKContentWorld system, there is no way the iOS app can inject JS code into external websites, making it the safest choice for the user.

4

210

1,017

FAQ for non-tech readers

5

374

1,291

Wow, what an honour to have my work featured on

Including statements by TikTok confirming the code I found exists and does what I expected. forbes.com/sites/richardn via

42

442

2,264

Replying to

I'll read the article but are you seeing that they ping that info to some endpoint?

1

3

Dr. Augustine Fou

I dont think the page can see the subsequent step

1

4

Show replies

InfiniteLoop.ie

Replying to

Facebook messenger injects code from

- Interactive Advertising Bureau to all external links.

unless Iab-pcm could be something else ?

1

13

Show replies

Christopher Lloyd

Replying to

and

So this all goes away if Apple hard deprecates WKWebView ?

6

5

I doubt AAPL will do that because lots of apps depend on WKWebView for legit reasons. AAPL could require that apps list all the domains they want to connect to via WKWebView, and require an entitlement for browser-builders.

1

11

Jordi Ordóñez

Replying to

and

@BlackLabelAdvsr

enjoy

1

3

Jon Elder | Amazon FBA | Private Label Consultant

@BlackLabelAdvsr

Nothing to see here.

4

Dr. Augustine Fou

Replying to

should we trust TikTok to NOT harvest passwords of millions of American's, kids, etc.?

@GretchenSPeters

@CastiglioneJohn

@PrivacyMatters

6

1

23

Gretchen Peters

@GretchenSPeters

Nope

1

7

Show replies

Replying to

you might find this interesting and of course you won't be surprised that apps are injecting code into sites you visit...

2

@Ma_NOcalificada

Replying to

Quote Tweet

Felix Krause

@KrauseFx

· Aug 18

New Post: Announcing InAppBrowser - see what JavaScript commands get injected through an in-app browser

TikTok, when opening any website in their app, injects tracking code that can monitor all keystrokes, including passwords, and all taps. krausefx.com/blog/announcin

Show this thread

Replying to

Github link at the end doesn't seem to be working?

1

1

10

I knew I’d forget something! Here we go, it’s public now:

GitHub - KrauseFx/InAppBrowser.com: Showcasing what the Instagram in-app browser does under the hood

Showcasing what the Instagram in-app browser does under the hood - GitHub - KrauseFx/InAppBrowser.com: Showcasing what the Instagram in-app browser does under the hood

1

16

151

Show replies

New to Twitter?

Sign up now to get your own personalized timeline!

Sign up with Apple

Sign up with phone or email

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Trending now

What’s happening

Entertainment

LIVE

NHK連続テレビ小説『ちむどんどん』

News · Trending

渋谷刺傷

Trending with 逮捕の少女, 埼玉中3

Trending in Japan

爆破予告

Trending with アリオ札幌

All About

1 hour ago

【8月21日は献血の日】献血の記念品は回数やポイントに応じて種類があるって知ってた？日本赤十字社に聞いた

BuzzFeed Japan Medical

1 hour ago

新型コロナを「当たり前の感染症」として受け入れた時、何が起きるのか？　感染者はインフルの数倍から10倍に