Facebook and Instagram in-app browsers manipulate websites

For years, the data collection frenzy of IT groups big and small knew no bounds. But in recent years the situation has reversed. As more browsers advertise anti-tracking features, iPhone maker Apple last year ended unlimited spying on user activities across multiple apps with App Tracking Transparency.

But it’s quite different when using the built-in browser found on Instagram and Facebook. When you consult web pages through these applications, a code that follows all actions is injected, even the entry of your password. This sounds really worrying.

If you’re an iOS user and you open the link in the app for Instagram or Facebook in an in-app browser, you’re being watched closely. It was discovered by Felix Krause, a former Google technician. On his blog, he describes how the Facebook and Instagram applications’ in-app browsers inject their code into the web pages viewed.

Facebook is only interested in advertising

Using this code, Meta could theoretically track all user activity, including what they clicked or the ability to take a screenshot. In theory, the company could even read very sensitive data such as passwords or credit card numbers. All this without ever asking the consent of the users or operators of the respective websites.

Facebook claims that the tracking on the websites is meant only to collect data about users and serve personalized ads on that basis. Information such as credit card data will only be saved with the prior consent of the users, so that they can be more quickly inserted the next time they autocomplete. At least that’s the Facebook version.

This does not mean that the company Meta really and actively uses all these possibilities. It’s not easy to know what data Meta actually collects in this way. The company will use several levels of encryption and concealment to keep these activities secret.

In general, this is an attack

However, Facebook does not inform its users that the web pages visited have their own code. JavaScript injection, as it is called, is generally classified as a malicious cyber attack. Almost all common browsers prevent this, for example in the form of third-party cookies. With their own browser, the applications in the meta group manage to do this nonetheless.

© pexels.com

The solution to avoid meta tracking is not to open links with the built-in browser in the Facebook and Instagram applications, but to use another browser instead. Another solution, according to Krause, would be to not use apps, but instead use the mobile websites of Facebook and Instagram. For their part, website operators can prevent the injection of JavaScript by adding a short code. It tricks the Facebook and Instagram apps into pretending that their tracking tools are pre-installed. Tracking is still very difficult to avoid today, but it is not always negative.


The software developer gave all this information to Meta on June 9. After a brief confirmation that this behavior could be repeated, the group went radio silent. So Krauss set a reasonable deadline for the company to take it public, but Meta also didn’t respond. This time is now over.

The request for meta:remove tracking is quite simple, as WhatsApp doesn’t have this behavior on the iPhone.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox