Instagram’s In-App Browser Overrides Tracking Restrictions to Spy on You


Meta, the parent company of Instagram and Facebook, has been injecting code into websites its users visit so that the company can track them across the internet after they click links in its apps.

Ex-Google Engineer and privacy researcher, Felix Krause discovered that Meta has been taking advantage of the fact that users who click on links are taken to webpages in its in-app browser that is controlled by Instagram and Facebook in order to follow everything they do across the web.

Krause published his findings on his website on Wednesday, including samples of the code itself.

Meta has a custom in-app browser that operates on Facebook, Instagram, and any website you might click through to from both these apps. According to Krause, this proprietary browser has additional program code inserted into it.

Krause developed a tool that found Instagram and Facebook added up to 18 lines of javascript code to websites visited through Meta’s in-app browsers.

This “code injection” enables user tracking and overrides tracking restrictions that browsers such as Chrome and Safari have in place.

It allows Meta to collect sensitive user information, including all user interactions including “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.”

In a statement to The Guardian, a spokesperson for Meta says that the company is not doing anything Instagram and Facebook users did not already consent to.

“We intentionally developed this code to honor people’s [Ask to track] choices on our platforms,” says a spokesperson. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.”

Data is the central commodity of Meta’s business model and there is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites opened through the Instagram and Facebook apps, reports The Conversation.

However, this business model has been threatened by the fact that Apple which owns Safari, Google which owns Chrome, and the Firefox browser are all actively placing restrictions on Meta’s ability to collect data.

Last year, Apple’s iOS 14.5 update came alongside a requirement that all apps hosted on the Apple app store must get users’ explicit permission to track and collect their data across apps owned by other companies. Meta was vocally against the launch and publicly said this single iPhone alert is costing its Facebook business US$10 billion each year.

Apple’s Safari browser applies a default setting to block all third-party cookies. Google will also soon be phasing out third-party cookies, while Firefox similarly announced “total cookie protection” to prevent cross-page tracking.

After being weakened by the introduction of restrictions on extensive user data tracking by external browsers, Meta’s response has been to create its own in-app browser that overrides these restrictions.

Image credits: Header photo licensed via Depositphotos.