Facebook, Instagram inject ‘tracking code’ in in-app browser to monitor usage: Report
When users open a link on the Facebook and Instagram apps, they’re taken to the respective page not via a browser of their choice, one installed on their phones, but via Facebook or Instagram’s in-app browser. While this may seem convenient, recent reports suggest parent company Meta may have other motives behind implementing an in-app browser for links.
As per a report researcher Felix Krause, via Engadget, it is found that the default in-app browser on Facebook and Instagram injects ‘tracking code’ into every website it visits for you, allowing a number of elements to be monitored, likely without the user’s explicit knowledge. These include which ads you click on, which buttons you hit, text selections and more.
💥 New Post: Instagram & Facebook tracks everything you do on any website in their in-app browserhttps://t.co/dj5CMJUwHc pic.twitter.com/LvWXGa34N2
— Felix Krause (@KrauseFx) August 10, 2022
“The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause said in a blog post.
The researcher’s work mainly focused on the Facebook and Instagram apps for iOS. However, Krause noted that Facebook may not be necessarily using the javascript injection to collect sensitive data, but regardless, the approach here does seem fishy, and that’s because it lets Meta monitor usage over both unencrypted and encrypted sites; the latter is something other browsers would not allow.
In a later tweet, Krause admits that Facebook reached out to the researcher saying the system they’ve built honours the user’s ATT choice
Facebook reached out to me, saying the system they’ve built honours the user’s ATT choice.
However, this doesn’t change anything about my publication: The Instagram iOS app is actively injecting JavaScript code into all third party websites rendered via their in-app browser. pic.twitter.com/9h0PIoIOSS
— Felix Krause (@KrauseFx) August 11, 2022
Krause further added that communication app WhatsApp, also owned Meta, doesn’t modify third party websites in a similar way, and suggested that Facebook and Instagram should also follow similar methods.