News Categories

Facebook and Instagram's in-app browsers will reportedly track anything you do on any website

By Kenny Yeo - on 21 Aug 2022, 12:27pm

Facebook and Instagram's in-app browsers will reportedly track anything you do on any website

Note: This article was first published on 11 August 2022.

(Image source: Brett Jordan / Unsplash)

Felix Krause, an iOS privacy researcher, has found that Facebook and Instagram render all third-party links within their app using a custom in-app browser and that this custom browser can track all sorts of user interactions.

The custom in-app browser is said to be based on WebKit and a tracking JavaScript code called "Meta Pixel" is injected into all links and websites shown. And with this code, Facebook and Instagram can track users' interactions without their content.

This is in violation of Apple's App Tracking Transparency policy, which requires apps to explicitly ask users for their permission to track them.

According to Krause, the tracking code can monitor all kinds of user interactions.

This allows Instagram to monitor everything happening on external websites, without the consent from the user, nor the website provider.

The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.

That said, Krause is quick to point out that doesn't necessarily mean that Facebook and Instagram are stealing people's passwords and credit card numbers.

Rather, his report was meant to highlight the tracking capability of the in-app browser's tracking code and how users can protect themselves.

Does Facebook actually steal my passwords, address and credit card numbers?

No! I didn’t prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it’s possible for a company to get access to data for free, without asking the user for permission, they will track it.

So how can users protect themselves? Whenever you click on a link within Facebook or Instagram, make sure you click on the three dots icon in the corner (bottom right for Facebook, top right for Instagram) and select the option "Open in browser" to visit the link in Safari and not Facebook or Instagram's custom in-app browser.

Interestingly, only Facebook and Instagram open links using their custom in-app browser. WhatsApp, another service owned by Meta, opens apps with Safari.

To read Krause's report in detail, click the link below.

Source: Felix Krause via MacRumors

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.