Meta, the owner of Facebook and Instagramhas been rewriting the websites its users visit, allowing the company to follow them around the web after clicking links in its apps, according to new research from a former Google engineer.
Both apps have taken advantage of the fact that users who click on links are taken to web pages in an “in-app browser,” controlled by Facebook or Instagram, instead of being sent to the user’s chosen web browser, such as Safari or Firefox.
“The Instagram app injects their tracking code on every website that is displayed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link clicked, text selections, screenshots, as well as any form inputs, such as passwords, addresses, and credit card numbers. says Felix Krausea privacy researcher who founded an app development tool acquired by Google in 2017.
In a sentence, Goal said injecting a tracking code was based on user preferences about whether or not to allow apps to follow them, and was only used to aggregate data before applying it for advertising or measurement purposes for those users who opted out. in said follow-up.
“We intentionally developed this code to honor the [Ask to track] options on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so we can add conversion events from pixels.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for autofill purposes.”
Krause discovered code injection by creating a tool that could list all the additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, call up Meta Pixel, a tracking tool that allows the company to follow a user across the web and build an accurate profile of their users. interests.
Sign up for First Edition, our free daily newsletter, every Monday to Friday morning at 7am BST
The company does not reveal to the user that it is rewriting the web pages in this way. No such code is added to the WhatsApp app’s browser, according to Krause’s research.
“JavaScript injection”, the practice of adding additional code to a web page before it is displayed to a user, is frequently classified as a type of malicious attack. The cybersecurity company Ferot, for example, describes it as an attack that “allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”
There is no suggestion that Meta used its Javascript injection to collect such sensitive data. In the company’s description of the Meta Pixel, which is usually added voluntarily to websites to help companies advertise to users on Instagram and Facebook, it says that the tool “allows you to track visitor activity on your site web” and that may collect associated data.
It’s unclear when Facebook started injecting code to track users after clicking links. In recent years, the company has had a noisy public showdown with Apple, after the latter introduced a requirement for app developers to ask for permission to track users in apps. After the notice was released, many Facebook advertisers found themselves unable to target users on the social network, ultimately resulting in $10 billion in lost revenue and a 26% drop in the company’s share price earlier this yearaccording to goal.
