According to a privacy expert, the software adds code that allows third parties to monitor behavior on websites accessed through their browser. TikTok claims that it uses the code for debugging and other purposes.

Felix Krause, a software researcher based in Vienna, claims that when TikTok users click on a link in the TikTok app, the program inserts code into the website that enables TikTok to track behavior like keystrokes and what users tap on that site.

That might make it possible for TikTok to collect private user data like passwords and credit card details. The websites are opened through TikTok's in-app browser rather than a conventional one like Chrome or Safari, which gives the app the ability to inject the code and change the websites to allow that surveillance.

The findings were first published by Forbes, which quoted Krause as saying, "This was an active choice the company made." Krause is the creator of the app-testing business Fastlane, which Google acquired five years ago. He said, "This is a non-trivial engineering task. This does not happen by mistake or randomly."

Although those elements are there in the code,TikTok spokesperson Maureen Shanahan told Forbes that the app does not use them to track users. The Javascript code in question is only used for debugging, troubleshooting, and performance monitoring of that experience, such as checking how quickly the page loads or whether it crashes, she said in a statement to the publication. "Like other platforms, we use an in-app browser to provide an optimal user experience."

The code, according to TikTok, is a component of a third-party software development kit, or SDK, a collection of tools used to create or manage apps. The SDK has functionality that TikTok does not employ.

The announcement comes amid ongoing security and surveillance worries regarding the TikTok app and the Chinese business ByteDance, which owns it. According to some US officials, TikTok poses a concern to national security because ByteDance may provide Chinese authorities access to data about Americans gathered through the app, which they may use as a weapon against Americans. TikTok has frequently stated that it would never take such a step.

Krause's study included other platforms besides TikTok. He examined a total of seven in-app browser-enabled iPhone applications, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon, and Robinhood. TikTok is the only one of those that, according to Krause, appears to track keystrokes. The TikTok app for Android wasn't tested by Krause.