Meta Injecting Code Into Websites Visited By Its Users To Track Them, Research Says

Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an 'in-app browser,' controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. 'The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,' says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. It is unclear when Facebook began injecting code to track users after clicking links. 'We intentionally developed this code to honor people's [Ask to track] choices on our platforms,' a Meta spokesperson told The Guardian in a statement. 'The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.'

They added: 'For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.'

Read more of this story at Slashdot.