Home news Facebook’s In-App Browser Injects JavaScript Into Third-Party Websites

Facebook’s In-App Browser Injects JavaScript Into Third-Party Websites

by George Mensah

Fastlane founder Felix Krause has revealed(Opens in a new window) that the in-app browsers on Facebook and Instagram inject JavaScript into third-party websites.

Krause initially stated that the in-app browsers were injecting the Meta Pixel, which Meta describes(Opens in a new window) as “a snippet of JavaScript code that allows you to track visitor activity on your website,” but has since updated his report to state that the social networking company’s mobile apps are instead injecting a script known as “pcm.js(Opens in a new window).” According to a comment within that script, it was “created to honor people’s privacy and [App Tracking Transparency] choices” while using Facebook and Instagram.

App Tracking Transparency is a framework introduced by Apple with iOS 14.5 that requires developers to request permission from their users to collect tracking data. Meta has repeatedly chastised the framework and informed Facebook and Instagram users that it relies on tracking data—or, at the very least, the advertising revenue it generates—to keep its services free. Its apps must still honor user requests not to be tracked, which is why its browsers inject the “pcm.js” script, according to the company.

In a comment on the script, Meta says, “This code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes.” “This javascript tracks no other user activity.”

According to Krause, “injecting custom scripts into third-party websites allows them to monitor all user interactions, such as every button and link tapped, text selections, screenshots, and any form inputs, such as passwords, addresses, and credit card numbers.” He points out that Meta does not appear to be doing anything malicious, but the company has still criticized the report, with Meta policy communications director Andy Stone tweeting:

There are many questions about Meta’s decision to inject JavaScript through Facebook and Instagram’s in-app browsers. Krause claims he reported this behavior to Meta through the bug bounty program, was told within a few hours that Meta’s engineers could reproduce the “issue,” and then… nothing for about 11 weeks. It’s unclear why Meta didn’t provide more information about this practice (or why it referred to JavaScript injection as an “issue”) until Krause published his report.

In response to a comment request, Meta made the following statement: “These assertions are false and misrepresent the functionality of Meta’s in-app browser and Pixel. We created this code with the intention of respecting people’s App Tracking Transparency preferences on our platforms.” However, Krause updated his report to say that the in-app browsers aren’t injecting the Meta Pixel, and the initial request for comment specifically mentioned the “pcm.js” script.


The company did not immediately respond to a request for more information about what kind of data is collected by the “pcm.js” script, how the script prevents Meta Pixel event data from being used for tracking purposes, and whether the Facebook and Instagram in-app browsers also inject other scripts.

For the time being, Meta has designed a system that requires it to knowingly engage in questionable behavior—injecting custom scripts into every third-party website visited by Facebook and Instagram’s billions of users through their in-app browsers—in order to honor their requests not to be tracked.

You may also like

Leave a Comment