Code injection from Meta in the in-app browser

Surely you have tried to open a link that interests you through Facebook or Instagram. You will have already noticed that the link does not open in the browser you are using, but within the Facebook or Instagram application.

So because the liar and the thief in the first year rejoice, we have news.

Meta, the owner of Facebook and Instagram, rewrites every web page its users visit, helping the company track them around the web, according to new research from a former Google engineer. The Guardian reports:


The two apps take advantage of the fact that users who click on links are taken to web pages in an "in-app browser," controlled by Facebook or Instagram, rather than being sent to the user's browser, such as Safari or Firefox.

“The Instagram app inserts a tracking code on every website it displays, even when you click on ads, allowing them to track all user interactions, including every button and link clicked, text selections, screenshots, as well as any form input, such as passwords, addresses and credit card numbers,” says Felix Krause, a privacy researcher who built an app development tool that Google bought in 2017.

Krause discovered code injection by building a new tool that could list all the extra commands added to a website by the browser. In regular browsers and most apps, the tool doesn't detect changes, but on Facebook and Instagram it finds up to 18 lines of code added by the app.

These lines of code appear to scan for a specific cross-platform tracking kit and, if it's not installed, call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests.

The company does not disclose to the user that it rewrites the web pages it opens in this way. It should be noted that no such tracking code was found in WhatsApp's in-app browser, according to Krause's research, and that it's unclear when Facebook began inserting code to track users who clicked on links.

Of course the response from Meta tried to downplay the fact

"We have deliberately created this code," a Meta spokesperson told the Guardian. “The code allows us to collect user data before using it for targeted advertising or measurement purposes. We don't add pixels. The code is inserted so that we can collect conversion events from pixels.”

"For in-app browser purchases, we ask for user consent to store payment information for autofill purposes."

Read more technical details The Best Technology Site in Greecefgns

Code injection, meta, iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).