Facebook and Instagram can track users through embedded browsers

Meta’s Facebook and Instagram apps have long had their own built-in browsers, allowing users to navigate to sites without leaving the app itself. However, researcher Felix Krause discovered that these browsers insert JavaScript code into every website you visit, allowing the parent Meta program to potentially track you across different Internet pages.

“The Instagram app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause explains in a blog post.

His research focused on the iOS versions of Facebook and Instagram. This is important because Apple allows users to turn app tracking on or off when they first launch it with the App Tracking Transparency (ATT) feature introduced in iOS 14.5. Meta previously said the feature was a “headwind to our business in 2022… valued at about $10 billion.” As it turned out, the company was at least partially able to circumvent this limitation.

In turn, Meta said that the tracking code corresponds to the settings of users in ATT.

“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,” said a Meta representative in a comment to The Guardian. “We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

Krause noted that Facebook does not necessarily use JavaScript injection to collect sensitive data. However, if the applications opened in the user’s browser of choice, such as Safari or Firefox, there would be no way to perform this kind of JavaScript injection on any secure site. In contrast, the approach used by Instagram and Facebook browsers “works for any website, whether it’s encrypted or not,” Krause writes.

According to the researcher, WhatsApp does not use such practices and does not modify third-party websites, although it also has a built-in browser. So Krause suggests Meta do the same with Facebook and Instagram, or simply use Safari or another standard browser to open the links.