Fastlane founder Felix Krause has revealed(Opens in a new window) that the in-app browsers on Facebook and Instagram inject JavaScript into third-party websites.
Krause initially stated that the in-app browsers were injecting the Meta Pixel, which Meta describes(Opens in a new window) as âa snippet of JavaScript code that allows you to track visitor activity on your website,â but has since updated his report to state that the social networking companyâs mobile apps are instead injecting a script known as âpcm.js(Opens in a new window).â According to a comment within that script, it was âcreated to honor peopleâs privacy and [App Tracking Transparency] choicesâ while using Facebook and Instagram.
App Tracking Transparency is a framework introduced by Apple with iOS 14.5 that requires developers to request permission from their users to collect tracking data. Meta has repeatedly chastised the framework and informed Facebook and Instagram users that it relies on tracking dataâor, at the very least, the advertising revenue it generatesâto keep its services free. Its apps must still honor user requests not to be tracked, which is why its browsers inject the âpcm.jsâ script, according to the company.
In a comment on the script, Meta says, âThis code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes.â âThis javascript tracks no other user activity.â
According to Krause, âinjecting custom scripts into third-party websites allows them to monitor all user interactions, such as every button and link tapped, text selections, screenshots, and any form inputs, such as passwords, addresses, and credit card numbers.â He points out that Meta does not appear to be doing anything malicious, but the company has still criticized the report, with Meta policy communications director Andy Stone tweeting:
There are many questions about Metaâs decision to inject JavaScript through Facebook and Instagramâs in-app browsers. Krause claims he reported this behavior to Meta through the bug bounty program, was told within a few hours that Metaâs engineers could reproduce the âissue,â and then⊠nothing for about 11 weeks. Itâs unclear why Meta didnât provide more information about this practice (or why it referred to JavaScript injection as an âissueâ) until Krause published his report.
In response to a comment request, Meta made the following statement: âThese assertions are false and misrepresent the functionality of Metaâs in-app browser and Pixel. We created this code with the intention of respecting peopleâs App Tracking Transparency preferences on our platforms.â However, Krause updated his report to say that the in-app browsers arenât injecting the Meta Pixel, and the initial request for comment specifically mentioned the âpcm.jsâ script.
Read more;TESLA ELECTRIC MOTORCYCLES IS FINALLY READY FOR THE ROAD
The company did not immediately respond to a request for more information about what kind of data is collected by the âpcm.jsâ script, how the script prevents Meta Pixel event data from being used for tracking purposes, and whether the Facebook and Instagram in-app browsers also inject other scripts.
For the time being, Meta has designed a system that requires it to knowingly engage in questionable behaviorâinjecting custom scripts into every third-party website visited by Facebook and Instagramâs billions of users through their in-app browsersâin order to honor their requests not to be tracked.
