The web browser used within the TikTok app can track every keystroke made by its users, according to new research that is surfacing as the Chinese-owned video app grapples with U.S. lawmakers’ concerns over its data practices.

就在中國影片應用程序TikTok艱難應對美國議員對其數據管理的擔憂之際，一項新研究顯示，TikTok應用程序內的網頁瀏覽器可以追蹤用戶的每一次鍵盤輸入行為。

The research from Felix Krause, a privacy researcher and former Google engineer, did not show how TikTok used the capability, which is embedded within the in-app browser that pops up when someone clicks an outside link. But Mr. Krause said the development was concerning because it showed TikTok had built in functionality to track users’ online habits if it chose to do so.

隱私政策研究員、前谷歌工程師費利克斯·克勞斯的研究並未說明TikTok如何使用這一功能，它被嵌入用戶點擊外部鏈接時會彈出的內置瀏覽器中。但克勞斯表示，這一情況令人擔憂，因為它表明TikTok內置了跟蹤用戶在線習慣的功能，只要它想，就能這麼做。

Collecting information on what people type on their phones while visiting outside websites, which can reveal credit card numbers and passwords, is often a feature of malware and other hacking tools. While major technology companies might use such trackers as they test new software, it is not common for them to release a major commercial app with the feature, whether or not it is enabled, researchers said.

收集人們在訪問外部網站時在手機上鍵入的信息可能會洩漏信用卡號碼和密碼，這通常是惡意軟體和其他駭客工具的一個功能。研究人員表示，雖然大型科技公司在測試新軟體時可能會使用此類追蹤工具，但對外發布帶有此功能——無論是否啟用——的主流商業應用程序並不常見。

“Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites,” said Jane Manchun Wong, an independent software engineer and security researcher who studies apps for new features.

「根據克勞斯的調查結果，TikTok應用程序內專用瀏覽器監控輸入內容的方式存在問題，因為用戶可能會在外部網站上輸入登錄憑證等敏感數據，」專門研究各應用新功能的獨立軟體工程師、安全研究人員黃文津表示。

She said TikTok’s in-app browser could “extract information from the user’s external browsing sessions, which some users find overreaching.”

她說，TikTok的內置瀏覽器能「從用戶的外部瀏覽行為中提取信息，這在一些用戶看來就是越界」。

In a statement, TikTok, which is owned by the Chinese internet firm ByteDance, said Mr. Krause’s report was “incorrect and misleading” and that the feature was used for “debugging, troubleshooting and performance monitoring.”

中國互聯網公司字節跳動所有的TikTok在一份聲明中表示，克勞斯的報告是「錯誤且具有誤導性的」，該功能只用於「調試、故障排除和性能監控」。

“Contrary to the report’s claims, we do not collect keystroke or text inputs through this code,” TikTok said.

「與該報告所稱相反，我們沒有通過此代碼收集鍵入或文本輸入的記錄，」TikTok表示。

Mr. Krause, 28, said he was unable to ascertain whether keystrokes were actively being tracked, and whether that data was being sent to TikTok.

現年28歲的克勞斯表示，他無法確定用戶的鍵入是否被主動追蹤，也不能確定這些數據是否被發送給了TikTok。

The research could raise questions for TikTok in the United States, where government officials have scrutinized whether the popular app could endanger U.S. national security by sharing information about Americans with China. Although debate in Washington about the app had receded under the Biden administration, new concerns have boiled over in recent months after revelations from BuzzFeed News and other news outlets about TikTok’s data practices and ties to its Chinese parent.

Apps sometimes use in-app browsers to prevent people from visiting malicious sites or to make online browsing easier with the auto-filling of text. But while Facebook and Instagram can use in-app browsers to track data like what sites a person visited, what they highlighted and which buttons they pressed on a website, TikTok goes further by using code that can track each character entered by users, Mr. Krause said.

有些應用程序會使用內置瀏覽器來防止用戶訪問惡意網站，或是通過自動文本填充提升在線瀏覽的體驗。但克勞斯表示，Facebook和Instagram雖然也能用內置瀏覽器追蹤諸如用戶訪問網站、標記內容以及網頁點擊內容等數據，但TikTok更進一步，其代碼可以追蹤到用戶輸入的每個字符。

A spokesman for Meta, the parent company for Facebook and Instagram, declined to comment.

Facebook和Instagram母公司Meta的發言人拒絕置評。

Mr. Krause said he carried out the research on TikTok only on Apple’s iOS operating system and noted that the keystroke tracking would only occur within the in-app browser.

克勞斯稱，他僅研究過蘋果iOS操作系統的TikTok應用，他也指出，該應用的鍵入追蹤功能僅限於其內置瀏覽器。

As with many apps, TikTok offers few chances for people to click away from its service. Instead of redirecting to mobile web browsers like Safari or Chrome, an in-app browser appears when users click on ads or links embedded within the profiles of other users. These are often the moments people enter key information like credit card details or passwords.

與許多應用程序一樣，TikTok幾乎不提供讓用戶點擊離開其服務的機會。當用戶點擊嵌入在其他用戶資料中的廣告或鏈接時，應用內置瀏覽器就會彈出，而不會將用戶重新定向到Safari或Chrome等移動端網頁瀏覽器應用中。往往就是在此類情境下，用戶需要輸入信用卡資料或密碼等關鍵信息。

In a CNN interview in July, Michael Beckerman, a TikTok policy executive, denied that the company logs users’ keystrokes but acknowledged monitoring their patterns, such as typing frequency, to safeguard against fraud.

Mr. Krause said he feared those tools had “very similar architectures” and could be repurposed to track keystroke content.

克勞斯說，他擔心這些工具的「架構非常相似」，可能會被轉用於追蹤鍵入內容。

“The problem is they have infrastructure set up to do this stuff,” he said.

「問題在於他們已經建立了能夠完成這些事的基礎設施，」他說。