The user is not informed that the company is altering webpages in this manner.

Meta, the owner of Facebook and Instagram, has been altering websites visited by its users, allowing the company to track and monitor them across the web after they click links in its apps, according to recent research from an ex-Google employee.

Users who click on links in the two apps are taken to webpages in a “in-app browser” managed by Facebook or Instagram, rather than being forwarded to the user’s preferred web browser, such as Safari or Firefox.

In-app browsers, which are implemented in native Android and iOS code using a component known as a WebView, enable native app users to interact with websites without leaving their apps and running separate browser applications.

WKWebView, part of the WebKit framework, and the more current (and more privacy-protecting) SFSafariViewController, part of the SafariServices framework, are both available for this purpose on iOS.

WKWebView, the more sophisticated and flexible of the two options, is used by Meta’s apps. However, both are alternatives to opening web links in the iOS version of Safari.

“The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

In a statement, Meta stated that injecting a tracking code complied with users’ preferences regarding whether or not apps could follow them, and that it was only used to acquire data before being applied for targeted advertising or measurement purposes for those users who opted out of such tracking.

“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”

They added: “For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

Krause identified the code injection by creating a tool that could report all of the extra commands that the browser added to a website. The scanner detects no modifications in conventional browsers or most apps, but it finds up to 18 lines of code added by Facebook and Instagram.

Those lines of code appear to scan for a certain cross-platform tracking kit and, if not found, connect with the Meta Pixel, a tracking tool that allows the corporation to monitor a user around the web and give customised advertising based on their surfing habits. 

The user is not informed that the company is altering webpages in this manner. According to Krause’s research, no such code is introduced to WhatsApp’s in-app browser.

‘Javascript injection’ is the technique of inserting additional code into a webpage before it is presented to a user is typically categorised as a sort of malicious assault.

According to Feroot, a cybersecurity company, it is an attack that “allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”

There is no evidence that Meta utilises its Javascript injection to obtain any sensitive information. The gadget “allows you to follow visitor activity on your website” and can collect associated data, according to the company’s description of the Meta Pixel, which is normally willingly put to websites to let marketers advertise to users on Instagram and Facebook.