When users open a link on the Facebook and Instagram apps, they’re taken to the respective page not via a browser of their choice, one installed on their phones, but via Facebook or Instagram’s in-app browser. While this may seem convenient, recent reports suggest parent company Meta may have other motives behind implementing an in-app browser for links.
As per a report by researcher Felix Krause, via Engadget, it is found that the default in-app browser on Facebook and Instagram injects ‘tracking code’ into every website it visits for you, allowing a number of elements to be monitored, likely without the user’s explicit knowledge. These include which ads you click on, which buttons you hit, text selections and more.
“The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause said in a blog post.
The researcher’s work mainly focused on the Facebook and Instagram apps for iOS. However, Krause noted that Facebook may not be necessarily using the javascript injection to collect sensitive data, but regardless, the approach here does seem fishy, and that’s because it lets Meta monitor usage over both unencrypted and encrypted sites; the latter is something other browsers would not allow.
In a later tweet, Krause admits that Facebook reached out to the researcher saying the system they’ve built honours the user’s ATT choice
Krause further added that communication app WhatsApp, also owned by Meta, doesn’t modify third party websites in a similar way, and suggested that Facebook and Instagram should also follow similar methods.