Meta, owner of Facebook InstagramAccording to new research by a former Google engineer, it rewrites the websites its users visit, allowing the company to follow them on the web after they click links in their apps.
The two apps take advantage of the fact that users who click on the links are controlled by the “in-app browser” redirected to their web page. Facebook or Instagram instead of being sent to the user’s preferred web browser such as Safari or Firefox.
“The Instagram app injects and activates tracking code on every website shown, including clicking on ads. [to] Monitor all user interactions such as every button and link tapped, text selections, screenshots, as well as any form input such as passwords, addresses and credit card numbers. says Felix KrauseA privacy researcher who built an app development tool that was acquired by Google in 2017.
In a statement, Aim He said that injecting a tracking code fits apps’ preferences on whether to allow them to track them, and is used only to collect data before it’s implemented for targeted advertising or measurement purposes for users who disable such tracking.
“We deliberately developed this code to honor people’s rights. [Ask to track] choices on our platforms,” a spokesperson said. “The code allows us to collect user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code was injected so we could collect conversion events from pixels.”
They added: “For purchases made via in-app browser, we require user consent to save payment information for autofill purposes.”
Krause discovered code injection by creating a tool that can list all the extra commands added to a website by the browser. For normal browsers and most applications, the tool does not detect any changes, but for Facebook and Instagram it finds up to 18 lines of code inserted by the application. These lines of code appear to scan for a specific cross-platform tracking kit, and if it’s not installed, it calls the company’s Meta Pixel, a tracking tool that allows it to track a user on the web and create an accurate profile based on their interests.
Sign up for our free daily newsletter First Edition – every weekday at 7:00 am
The company does not disclose to the user that it rewrites web pages in this way. According to Krause’s research, no such code has been added to WhatsApp’s in-app browser.
“Javascript injection” – the practice of adding extra code to a web page before it is displayed to a user – is often classified as a type of malicious attack. Cybersecurity company Feroot, for example, defines it as an attack. “allows the threat actor to manipulate the website or web application and collect sensitive data such as personally identifiable information (PII) or payment information.”
There is no suggestion that Meta uses Javascript injection to collect such sensitive data. Meta Pixel, which is often voluntarily added to websites to help companies advertise to users on Instagram and Facebook, says the tool “allows you to track visitor movements on your website” and can collect relevant data, the company says.
It’s unclear when Facebook started injecting code to track users after clicking links. In recent years, the company has had a noisy quarrel with Apple after Apple made a requirement for app developers to require permission to track users between apps. After the prompt was launched, many Facebook advertisers realized that they were unable to target users on the social network, resulting in $10 billion in revenue loss and and a 26% drop in the company’s share price earlier this year.According to meta.
