As per a new study conducted by an ex-Google engineer, Meta, the owner of Instagram and Facebook, has been recently working on rewriting websites its users visit, which let the company follow them across the web after clicking on links displayed on the app.
Both these apps have been into taking advantage of the fact that users who click on the links are directed to the webpages in an “in-app browser,” which is administered by Instagram or Facebook. Instead of directing the user to a browser of their selections like Firefox or Safari.
Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017, said that the Instagram app added its tracking code to every other website shown, which also includes allowing the platform to control all user interactions, such as monitoring every tapped link and button, clicking on ads, screenshots, text selections, along with any input by a user, including credit card numbers, addresses, and even passwords.
According to a statement issued by Meta, an injection of a tracking code that follows preferences given by users on whether or not they granted permission to apps to follow users. Meta also stated that this tracking code was only aimed at accumulating data before it applied to targeted advertising or measurement purposes for mainly those users who selected the option of such tracking.
A spokesperson said that the only objective behind developing this tracking code is to respect its users’ preferences by asking them for consent to track. The code gives the platform permission to amass user data before the data is being used intended for targeted advertising. The platform does not add any pixels to it. The reason behind injecting code is to collect conversion events from pixels.
They further added that the platform asks the user for permission if the user made any purchase using the in-app browser to save information related to payment aiming to autofill.
Krause was the one who discovered the injection of a tracking code by building a tool that may contain a list of all additional commands that are added to a website by the browser. For most apps and standard browsers, the tool doesn’t find any changes, but on the other hand, if it comes to Instagram and Facebook, the tool successfully finds code of up to 18 lines by the app. Those code lines detected by the tool appear on the screen for scanning a specific cross-platform tracking kit, but if not installed on the device, then rather call the Meta pixel. Meta Pixel is a tool that grants permission to the platform to follow the user browsing around the web and create an exact profile of their preference.
As per Krause’s study, the platform does not reveal the way to the user, in which it rewrites web pages according to the users’ interests. No such tracking code is added to the in-app browser of WhatsApp.
” JavaScript injection” is classified as a type of malicious attack as it can be defined as a practice of adding extra code to a webpage, especially, before it is displayed to a user. Feroot, a cybersecurity company, refers to it as an attack that lets the threat actor control a web application or the website in order to steal personal data from the platform, which includes payment information or personally Identifiable Information (PII).
There is no evidence that Meta has injected its JavaScript aiming to gather such sensitive personal user data. It is still uncertain when Facebook started to use a tracking code in order to track users after they clicked on links.