Fastlane founder Felix Krause has revealed(Opens in a new window) that Facebook and Instagram’s in-app browsers inject JavaScript into third-party websites.
Krause originally said the in-app browsers were injecting the Meta Pixel, which Meta describes(Opens in a new window) as “a snippet of JavaScript code that allows you to track visitor activity on your website,” but has since updated his report to say the social networking company’s mobile apps are injecting a script identified as “pcm.js(Opens in a new window)” instead. A comment within that script explains that it was “developed to honor people’s privacy and [App Tracking Transparency] choices” while they use Facebook and Instagram.
App Tracking Transparency is a framework Apple introduced with iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework and told Facebook and Instagram users that it relies on tracking data—or at least the advertising revenues it supports—to keep its services free. Its apps still have to honor user requests not to be tracked, however, and the company says that’s why its browsers inject the “pcm.js” script.
“This code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes,” Meta says in a comment on the script. “No other user activity is tracked with this javascript.”
Krause says “injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.” He notes that Meta doesn’t appear to be doing anything that malicious, but the company has still criticized the report, with Meta policy communications director Andy Stone saying on Twitter:
Questions about Meta’s decision to inject JavaScript via Facebook and Instagram’s in-app browsers abound. Krause says he reported this behavior via Meta’s bug bounty program, was told within a few hours that Meta’s engineers could reproduce the “issue,” and then… heard nothing for about 11 weeks. It’s not clear why Meta failed to offer additional information about this practice (or why it characterized the JavaScript injection as an “issue”) until after Krause published his report.
Meta responded to a request for comment with the following statement: “These claims are false and misrepresent how Meta’s in-app browser and Pixel work. We intentionally developed this code to honor people’s App Tracking Transparency choices on our platforms.” That statement was provided after Krause updated his report to say the in-app browsers aren’t injecting the Meta Pixel, however, and the initial request for comment specifically mentioned the “pcm.js” script.
Recommended by Our Editors
The company didn’t immediately respond to a request for additional information regarding what kind of data is collected via the “pcm.js” script, how the script prevents event data from the Meta Pixel from being used for tracking purposes, or if the Facebook and Instagram in-app browsers inject other scripts as well.
For now it seems Meta has created a system that requires it to knowingly engage in questionable behavior—injecting custom scripts into every third-party website visited by Facebook and Instagram’s billion-plus users via their in-app browsers—just to honor their requests not to be tracked.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0