Facebook and Instagram apps can track users through their built-in browsers


If you visit a website that you see on Facebook and Instagram, you have probably noticed that you are not redirected to your browser of choice, but rather to an in-app browser. These browsers turn out to inject javascript code into every website you visit, allowing the parent Meta to potentially track you across websites, researcher Felix Krause has found.

“The Instagram app injects its tracking code into every website viewed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form inputs, such as passwords, addresses, and credit card numbers,” said Krause in a blog post.

His research focused on the iOS versions of Facebook and Instagram. This is key because Apple allows users to turn app tracking on or off when they first open an app, through its App Tracking Transparency (ATT) introduced in iOS 14.5. Meta previously said the feature was “a headwind on our 2022 business…in the $10 billion range.”

Meta said the injected tracking code obeyed user preferences on ATT. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,” a spokesperson said. The Guardian. “We do not add any pixels. The code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we ask for user consent to record the payment information for autofill purposes.”

Krause noted that Facebook doesn’t necessarily use javascript injection to collect sensitive data. However, if the applications opened the user’s preferred browser like Safari or Firefox, there would be no way to do a similar javascript injection on a secure site. In contrast, the approach used by in-browsers Instagram and Facebook “works for any website, whether it’s encrypted or not,” he said.

According to Krause’s research, WhatsApp doesn’t modify third-party websites in the same way. As such, he suggests Meta do the same with Facebook and Instagram, or just use Safari or another browser to open links. “It’s best for the user and the right thing to do.” To learn more, see the summary of his findings here.

Source link


Comments are closed.