Users are being warned.
Facebook and Instagram’s In-App Browsers Track Users
Felix Krause, a security researcher, revealed that the in-app browser of Facebook and Instagram injected Meta Pixel. It is a snippet of JavaScript code to track visitors’ activity on the website.
However, mobile apps have a script known as pcm.js. The script was developed to honor users’ privacy choices while they are using Facebook and Instagram.
Meta criticized Apple’s App Tracking Transparency. It has been telling its users that Facebook and Instagram rely on tracking data to ensure that the services are free. But the apps honor user requests not to be monitored. That’s why the app’s browsers inject the said script.
According to the Guardian, “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”
However, Krause says that injecting the scripts into third-party websites will let them monitor all user interactions. For instance, the app can track each button tapped. It can also monitor text selections and other form inputs, such as credit card numbers and addresses.
But Krause states that the script does not appear to do anything malicious
Meta’s decision to inject the script raised various questions. Krause reported it through Meta’s bug bounty program. He never heard from Meta again until he published his report online.
When Meta was requested for comment, it released a statement that the claims are false.
Privacy Risks
In-app browsers can present several privacy risks. Whether the browser is from Meta or another company, the in-app browser enables the company to gather browser analytics without user consent.
These browsers can also be used by a firm to step the user credentials and API keys used in host services. They can also inject ads and referral links from websites. But Krause does not accuse Meta of doing these actions.
Even with the script, Facebook and Instagram cannot read and watch the online activities of the users. They also don’t steal users’ passwords, addresses, and credit card numbers.
However, it still shows that they are aggregating data without the user’s consent. Krause added that if the company could access data for free without the user’s consent, they will track you.
Krause recommends using Safari or other browsers when opening a link from these mobile apps. To open Safari, click the dots in the corner. The said browser blocks third-party cookies by default.
Apple enhanced its privacy game by introducing Lockdown Mode in July. It is an extreme security level for users who are personally targeted by digital threats. Krause filed a Bug report with Apple in July. He claimed that iOS Lockdown Mode could still enable in-app web view and host apps can steal information.
It is not clear when Meta started to inject code to monitor users after they click links. After Apple amplified its privacy features, many Facebook advertisers could not target users using Facebook and Instagram. As a result, Meta lost billions of dollars in revenue.
