Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer.
The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an “in-app browser”, controlled by Facebook or Instagram, rather than sent to the user’s web browser of choice, such as Safari or Firefox.
“The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.
In a statement, Meta said that injecting a tracking code obeyed users’ preferences on whether or not they allowed apps to follow them, and that it was only used to aggregate data before being applied for targeted advertising or measurement purposes for those users who opted out of such tracking.
“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”
They added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”
Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and offer targeted advertising based on their browsing.
The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause’s research.
“Javascript injection” – the practice of adding extra code to a webpage before it is displayed to a user – is frequently classified as a type of malicious attack. Cybersecurity company Feroot, for instance, describes it as an attack that “allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”
There is no suggestion that Meta has used its Javascript injection to collect such sensitive data. In the company’s description of the Meta Pixel, which is usually voluntarily added to websites to help companies advertise to users on Instagram and Facebook, it says the tool “allows you to track visitor activity on your website” and that it can collect associated data.
It is unclear when Facebook began injecting code to track users after clicking links. In recent years, the company has had a noisy public standoff with Apple, after the latter introduced a requirement for app developers to ask permission to track users across apps. After the prompt was launched, many Facebook advertisers found themselves unable to target users on the social network, ultimately leading to $10bn of lost revenue and a 26% fall in the company’s share price earlier this year, according to Meta.
