Facebook’s in-app browser injects JavaScript into third-party websites

Fastlane founder Felix Krause revealed(Opens in a new window) Facebook and Instagram’s in-app browsers inject JavaScript into third-party websites.

Krause initially said in-app browsers inject the Meta Pixel, which Meta describes(Opens in a new window) as “a snippet of JavaScript code that allows you to track visitor activity on your website”, but has since updated its report to state that the social networking company’s mobile apps inject a script identified as “pcm .js(Opens in a new window)instead. A comment in this script explains that it was “developed to respect people’s privacy and [App Tracking Transparency] choice” when using Facebook and Instagram.

App Tracking Transparency is a framework introduced by Apple with iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework and told Facebook and Instagram users that it relies on tracking data – or at least the ad revenue it supports – to keep Google free. its services. However, its apps still have to honor user requests to not be tracked, and the company claims that’s why its browsers inject the “pcm.js” script.

“This code is injected into in-app browsers to help aggregate conversion events from pixels configured by companies on their website, before these events are used for targeted advertising or measurement purposes. “, says Meta in a comment on the script. “No other user activity is tracked with this javascript.”

Krause states that “injecting custom scripts into third-party websites allows them to monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form entries. , such as passwords, addresses and credit card numbers”. He notes that Meta doesn’t appear to be doing anything that malicious, but the company has always been critical of the report, with Meta’s political communications director Andy Stone saying on Twitter:

Questions about Meta’s decision to inject JavaScript through Facebook and Instagram’s in-app browsers abound. Krause says he reported this behavior through Meta’s bug bounty program, was told within hours that Meta engineers could reproduce the “problem”, and then…heard nothing for about 11 weeks . It’s unclear why Meta didn’t provide additional information about this practice (or why it called JavaScript injection a “problem”) until after Krause published his report.

Meta responded to a request for comment with the following statement: “These claims are untrue and misrepresent the operation of Meta’s in-app browser and pixel. We intentionally developed this code to honor tracking transparency choices. apps on our platforms.” This statement was provided after Krause updated its report to say that in-app browsers do not inject the Meta Pixel, however, and the original request for comment specifically mentioned the “pcm.js” script.

Recommended by our editors

The company did not immediately respond to a request for additional information regarding the type of data collected through the “pcm.js” script, how the script prevents Meta Pixel event data from being used for tracking, or whether the Facebook and Instagram in-app browsers also inject other scripts.

For now, it appears that Meta has created a system that compels it to knowingly engage in questionable behavior – injecting custom scripts into every third-party website visited by Facebook and Instagram’s billions of users through their in-app browsers – just to honor their requests not to be tracked.

Security Watch<\/strong> newsletter for our top privacy and security stories delivered straight to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57: 33.000000Z”, “last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show= “showEmailSignUp() ” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs”>

Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Signing up for a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.

Add Comment