Instagram’s In-App Browser Overrides Tracking Restrictions to Spy on You


Meta, the parent company of Instagram and Facebook, has been injecting code into websites its users visit so that the company can track them across the internet after they click links in its apps.

Ex-Google Engineer and privacy researcher, Felix Krause discovered that Meta has been taking advantage of the fact that users who click on links are taken to webpages in its in-app browser that is controlled by Instagram and Facebook in order to follow everything they do across the web.

Krause published his findings on his website on Wednesday, including samples of the code itself.

New Post: Instagram & Facebook tracks everything you do on any website in their in-app browser

— Felix Krause (@KrauseFx) August 10, 2022

Meta has a custom in-app browser that operates on Facebook, Instagram, and any website you might click through to from both these apps. Krause claims that this browser is proprietary and has an additional code.

Krause developed a tool that found Instagram and Facebook added up to 18 lines of javascript code to websites visited through Meta’s in-app browsers.

This “code injection” enables user tracking and overrides tracking restrictions that browsers such as Chrome and Safari have in place.

It allows Meta to collect sensitive user information, including all user interactions including “every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.”

In a statement to The Guardian, a spokesperson for Meta says that the company is not doing anything Instagram and Facebook users did not already consent to.

“We created this code in order to respect people’s choices on our platforms,” a spokesperson said. The code allows us aggregate data from users before we use it to target advertising and measurement. No pixels are added. Code is injected so that we can aggregate conversion events from pixels.”

Data is the central commodity of Meta’s business model and there is astronomical value in the amount of data Meta can collect by injecting a tracking code into third-party websites opened through the Instagram and Facebook apps, reports The Conversation.

However, this business model has been threatened by the fact that Apple which owns Safari, Google which owns Chrome, and the Firefox browser are all actively placing restrictions on Meta’s ability to collect data.

Last year, Apple’s iOS 14. 5 update came alongside a requirement that all apps hosted on the Apple app store must get users’ explicit permission to track and collect their data across apps owned by other companies. Meta was vocally against the launch and publicly said this single iPhone alert is costing its Facebook business US$10 billion each year.

Apple’s Safari browser applies a default setting to block all third-party cookies. Google and Firefox will soon eliminate third-party cookies. Firefox also announced that they would implement “total cookie protection” in order to block cross-page tracking.

Meta responded to the restrictions placed on external browsers’ extensive tracking of user data by creating its own browser within Meta. This allows it to bypass these limitations.

Image credits: Header photo licensed via Depositphotos.