Fastlane founder Felix Krause has revealed(Opens in a new window) that Facebook and Instagram’s in-app browsers inject JavaScript into third-party websites.
Krause originally said the in-app browsers were injecting the Meta Pixel, which Meta describes(Opens in a new window) as “a snippet of JavaScript code that allows you to track visitor activity on your website,” but has since updated his report to say the social networking company’s mobile apps are injecting a script identified as “pcm.js(Opens in a new window)” instead. A comment within that script explains that it was “developed to honor people’s privacy and [App Tracking Transparency] choices” while they use Facebook and Instagram.
App Tracking Transparency is a framework Apple introduced with iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework and told Facebook and Instagram users that it relies on tracking data—or at least the advertising revenues it supports—to keep its services free. Its apps still have to honor user requests not to be tracked, however, and the company says that’s why its browsers inject the “pcm.js” script.
“This code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes,” Meta says in a comment on the script. “No other user activity is tracked with this javascript.”
Krause says “injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers.” He notes that Meta doesn’t appear to be doing anything that malicious, but the company has still criticized the report, with Meta policy communications director Andy Stone saying on Twitter:
Questions about Meta’s decision to inject JavaScript via Facebook and Instagram’s in-app browsers abound. Krause says he reported this behavior via Meta’s bug bounty program, was told within a few hours that Meta’s engineers could reproduce the “issue,” and then… heard nothing for about 11 weeks. It’s not clear why Meta failed to offer additional information about this practice (or why it characterized the JavaScript injection as an “issue”) until after Krause published his report.
Meta responded to a request for comment with the following statement: “These claims are false and misrepresent how Meta’s in-app browser and Pixel work. We intentionally developed this code to honor people’s App Tracking Transparency choices on our platforms.” That statement was provided after Krause updated his report to say the in-app browsers aren’t injecting the Meta Pixel, however, and the initial request for comment specifically mentioned the “pcm.js” script.
Recommended by Our Editors
The company didn’t immediately respond to a request for additional information regarding what kind of data is collected via the “pcm.js” script, how the script prevents event data from the Meta Pixel from being used for tracking purposes, or if the Facebook and Instagram in-app browsers inject other scripts as well.
For now it seems Meta has created a system that requires it to knowingly engage in questionable behavior—injecting custom scripts into every third-party website visited by Facebook and Instagram’s billion-plus users via their in-app browsers—just to honor their requests not to be tracked.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Facebook’s In-App Browser Injects JavaScript Into Third-Party Websites & Latest News Update
Facebook’s In-App Browser Injects JavaScript Into Third-Party Websites & More Live News
All this news that I have made and shared for you people, you will like it very much and in it we keep bringing topics for you people like every time so that you keep getting news information like trending topics and you It is our goal to be able to get
all kinds of news without going through us so that we can reach you the latest and best news for free so that you can move ahead further by getting the information of that news together with you. Later on, we will continue
to give information about more today world news update types of latest news through posts on our website so that you always keep moving forward in that news and whatever kind of information will be there, it will definitely be conveyed to you people.
Facebook’s In-App Browser Injects JavaScript Into Third-Party Websites & More News Today
All this news that I have brought up to you or will be the most different and best news that you people are not going to get anywhere, along with the information Trending News, Breaking News, Health News, Science News, Sports News, Entertainment News, Technology News, Business News, World News of this made available to all of you so that you are always connected with the news, stay ahead in the matter and keep getting today news all types of news for free till today so that you can get the news by getting it. Always take two steps forward
Credit Goes To News Website – This Original Content Owner News Website . This Is Not My Content So If You Want To Read Original Content You Can Follow Below Links