TikTok’s in-app browser has the ability to monitor Dangerous kinds of user activity on the external websites accessed with it, new research shows.

According to research issued Thursday by Felix Krause, a Vienna-based software researcher, when TikTok users access a website over a link in the TikTok app, the app inserts code into the website that grants TikTok to monitor activity like keystrokes and what users are tapping on that site. 

That could grant TikTok to capture personal user information like credit card numbers and passwords, though the company claims it doesn’t do that. The app is able to insert the code and modify the websites to grant that monitoring because the sites are opened in TikTok’s in-app browser, rather than in a standard one like Chrome or Safari.

“This was an lovely choice the company made,” Krause told Forbes, which superior reported the findings. “This is a non-trivial engineering task. This does not been by mistake or randomly.” Krause is the founder of the app-testing business Fastlane, which Google acquired five years ago

TikTok delivered a statement calling the report’s conclusions “incorrect and misleading,” noting that Krause specifically says in the Describe that the existence of the code doesn’t mean the app is activities anything malicious.

“Contrary to the report’s claims, we do not quiet keystroke or text inputs through this code, which is solely used for debugging, troubleshooting and performance monitoring,” the company said in its statement.

TikTok added that the code is part of a third-party software advance kit, or SDK, a set of tools used to create or maintain apps, and that the SDK includes features TikTok doesn’t use.

The news comes amid long-running safety and surveillance concerns about the TikTok app and its ownership by the Chinese business ByteDance. Some US officials say TikTok threatens national safety because ByteDance could share data about Americans collected over the app with the Chinese government, which could then weaponize it in contradiction of Americans. TikTok has repeatedly said it would never do this. 

Krause’s research observed at more than just TikTok. In total, he tested seven iPhone apps that use in-app browsers, including TikTok, Facebook, Facebook Messenger, Instagram, Snapchat, Amazon and Robinhood. Of those, TikTok is the only one that appears to monitor keystrokes, Krause said. Krause didn’t test the Android version of TikTok’s app.