Instagram and Facebook in-app browsers track all user activity
An analysis by software developer Felix Krause showed that Facebook and Instagram’s in-app browsers track every user interaction.
“The iOS Instagram and Facebook app render all third-party links and ads within their app using a custom in-app browser,” Krause said.
“This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.”
Krause said the applications inject their tracking code into every linked website, enabling Meta to monitor every page navigated to, text selections, screenshots, and form inputs like passwords, addresses and credit card details.
He said there is no legitimate reason for Instagram’s in-app browser to support auto-filling your address and payment information since it is already built into your device’s operating system or web browser like Safari.
The developer said the JavaScript tracking code, named Meta Pixel, gets injected before the first script element on external websites.
Facebook owner Meta Platforms describes Meta PIxel as “a snippet of JavaScript code that allows you to track visitor activity on your website.”
Krause said that Meta’s monitoring is done without consent from the user or the external website provider.
The developer explained that Meta’s tracking intentionally works around Apple’s App Tracking Transparency permission system.
Introduced with iOS 14.5, the App Tracking Transparency policy requires applications to get users’ permission before tracking their data across third-party applications.
Krause said he disclosed the issue with Meta through their Bug Bounty Program.
Meta confirmed they could reproduce Krause’s findings within a few hours of his disclosure.
Since then, nine weeks have passed without any other response from Meta besides asking the developer to wait longer for the company’s full report.
“Since there hasn’t been any responses on my follow-up questions, nor did they stop injecting tracking code into external websites, I’ve decided to go public with this information,” Krause said.