Instagram’s in-app browser overrides tracking restrictions to spy on you

ByLance T. Lee

Aug 15, 2022

Meta, the parent company of Instagram and Facebook, has injected code into the websites its users visit so the company can track them around the internet after clicking links in its apps.

Former Google engineer and privacy researcher Felix Krause discovered that Meta takes advantage of users who click on links being redirected to web pages in its in-app browser controlled by Instagram and Facebook in order to track everything that they make. through the web.

Krause posted his findings on his website on Wednesday, including samples of the code itself.

Meta has a custom built-in browser that works on Facebook, Instagram, and any website you might click on from those two apps. According to Krause, this proprietary browser contains additional program code.

Krause developed a tool that found Instagram and Facebook added up to 18 lines of javascript code to websites visited through Meta’s built-in browsers.

This “code injection” enables user tracking and overrides tracking restrictions put in place by browsers such as Chrome and Safari.

It allows Meta to collect sensitive user information, including all user interactions, including “every button and link typed, text selections, screenshots, as well as all form inputs, such as passwords, addresses and credit card numbers”.

In a statement to The Guardiana spokesperson for Meta said the company isn’t doing anything that Instagram and Facebook users haven’t already consented to.

“We intentionally developed this code to honor the [Ask to track] choice on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. The code is injected so that we can aggregate conversion events from pixels. »

Data is the core product of Meta’s business model and there is astronomical value in the amount of data Meta can collect by injecting tracking code into third-party websites opened through the Instagram and Facebook apps, reports The conversation.

However, this business model has been threatened by the fact that Apple, owner of Safari, Google, owner of Chrome, and the Firefox browser are all actively placing restrictions on Meta’s ability to collect data.

Last year, Apple’s iOS 14.5 update came with a requirement that all apps hosted on Apple’s App Store must obtain users’ explicit permission to track and collect their data. on apps owned by other companies. Meta strongly opposed the launch and has publicly stated that this iPhone alert alone costs its Facebook business $10 billion a year.

Apple’s Safari browser has a default setting to block all third-party cookies. Google will also soon remove third-party cookies, while Firefox has also announced “total cookie protection” to prevent cross-page tracking.

After being weakened by the introduction of restrictions on deep tracking of user data by external browsers, Meta’s response has been to create its own in-app browser that overrides these restrictions.


Picture credits: Header photo licensed via Depositphotos.



Source link