Meta injecting code into websites visited by its users to track them, research says

Meta, the owner of Facebook and Instagram, has been rewriting the websites its users visit, allowing the company to follow them around the web after clicking links in its apps, according to new research from a former Google engineer. .

The two apps have taken advantage of the fact that users who click on links are taken to web pages in an “in-app browser” controlled by Facebook or Instagram, rather than being sent to the user’s chosen web browser. user, such as Safari or Firefox.

“The Instagram app injects their tracking code on every website that is displayed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link clicked, text selections, screenshots, as well as any form inputs such as passwords, addresses, and credit card numbers,” says Felix Krause, a privacy researcher who founded an app development tool acquired by Google. in 2017.

In a statement, Meta said injecting a tracking code was driven by user preferences about whether or not to allow apps to track them, and was only used to aggregate data before being applied for targeted advertising or measurement purposes. users who opted out. of such monitoring.

“We intentionally developed this code to honor the [Ask to track] options on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so we can add conversion events from pixels.”

They added: “For purchases made through the in-app browser, we seek user consent to save payment information for autofill purposes.”

Krause discovered code injection by creating a tool that could list all the additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, call up Meta Pixel, a tracking tool that allows the company to follow a user across the web and build an accurate profile of their users. interests.

“,”caption”:”Subscribe to the First Edition, our free daily newsletter, every weekday morning at 7am BST”,”isTracking”:false,”isMainMedia”:false,”source”:”The Guardian”,”sourceDomain” :”theguardian.com”}”>

Sign up for First Edition, our free daily newsletter, every Monday to Friday morning at 7am BST

The company does not reveal to the user that it is rewriting web pages in this way. No such code is added to the WhatsApp app’s browser, according to Krause’s research.

“JavaScript injection”, the practice of adding additional code to a web page before it is displayed to a user, is frequently classified as a type of malicious attack. Cybersecurity company Feroot, for example, describes it as an attack that “allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.”

There is no suggestion that Meta used its Javascript injection to collect such sensitive data. In the company’s description of the Meta Pixel, which is usually added voluntarily to websites to help companies advertise to users on Instagram and Facebook, it says that the tool “allows you to track visitor activity on your site.” web” and that may collect associated data.

It’s unclear when Facebook started injecting code to track users after clicking links. In recent years, the company has had a noisy public showdown with Apple, after the latter introduced a requirement for app developers to ask for permission to track users in apps. After the notice was released, many Facebook advertisers found themselves unable to target the social network’s users, ultimately leading to a $10 billion loss in revenue and a 26% drop in stock price. of the company earlier this year, according to Meta.

Leave a Comment

Your email address will not be published.