How Facebook, Messenger And Instagram Use ‘Meta Pixel’ in Their In-App Browser to Track Users

JavaScript injection detected!

The tool to browse the web is called a web browser, and Meta knows how to utilize this fact by creating its own.

Users of the Facebook social media app, Messenger app and Instagram can visit websites by tapping on links provided in user profiles or posts. The thing is, users aren't redirected to the browser of their choice, like Google Chrome or Apple Safari.

Instead, a custom in-app web browser is launched.

The browser isn't an ordinary browser, as its intention is to only open HTML pages, as well as running CSS codes and JavaScript files, without offering anything else.

While this is common, the Meta's web browser was found injecting specially-crafted JavaScript file into each website users visit.

This allows Meta to potentially track users whenever they go when they're away from Meta's array of apps, tracking them across websites, researcher Felix Krause has discovered.

"The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," Krause said in a blog post.

Meta apps, in-app browsers JavaScript injection
Frontal alignments of a human face contain a lot more landmarks than profile alignments.

Felix Krause's research was focused on the iOS versions of Facebook and Instagram.

This is because Apple allows users to opt out of app tracking through its App Tracking Transparency (ATT) initiative, first introduced in iOS 14.5. Using its own in-app browser, Meta is able to bypass ATT.

It's worth noting that all apps that can open web pages on iOS are required to use WebKit.

This is what Meta is doing.

The engine Facebook and Instagram use as their in-app browser also use WebKit. But the company was found tweaking the browser to be able to inject the specialized JavaScript code called the ‘Metal Pixel’.

According to its documentation page, a Meta Pixel is simply a snippet of JavaScript code that allows developers to track visitor activities. This works by loading a small library of functions which developers can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion).

By default, the Pixel will track URLs visited, domains visited, and the devices your visitors use, explained Meta in another documentation page.

In all, Meta Pixel can collect the following data:

  1. HTTP Headers: anything that is inside HTTP headers, which include IP addresses, information about the web browser, page location, document, referrer and person using the website.
  2. Pixel-specific Data: data includes Pixel ID and the Facebook Cookie.
  3. Button Click Data: this includes any buttons clicked by site visitors, the labels of those buttons and any pages visited as a result of the button clicks.
  4. Optional Values: developers and marketers can optionally choose to send additional information about the visit through Custom Data events. Example custom data events are conversion value, page type and more.
  5. Form Field Names: this includes website field names like email, address, quantity, and so forth, that is typed when users purchase a product or service.

Kraus also said that Instagram iOS subscribes to every tap on any button, link, image or other component on external websites rendered inside the Instagram app.

"Instagram iOS subscribes to every time the user selects a UI element (like a text field) on third party websites rendered inside the Instagram app," he said.

Read: On IOS 14.5, Facebook And Instagram Said That Tracking Keeps Them 'Free Of Charge'

In other words, Meta has the ability to monitor all user interactions, and activities without their consent, according to the analysis.

This method can even bypass Apple's Lockdown mode, a feature that Apple introduced for users who are targets of hacking campaigns.

Meta said that its browser and the method of injecting tracking code obeyed users preferences on ATT.

"The code allows us to aggregate user data before using it for targeted advertising or measurement purposes," a spokesperson for the company said. "We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

Krause stressed that Facebook and Instagram aren't necessarily using the JavaScript injection technique to collect users' sensitive data.

However, if users click on links and the links are opened using users' preferred browser, there is no way for Meta to do a similar JavaScript injection technique to any secure website.

The approach used by Facebook and Instagram "works for any website, no matter whether it's encrypted or not," he said.

Meta apps, in-app browsers JavaScript injection
Frontal alignments of a human face contain a lot more landmarks than profile alignments.

While Meta denies that it violates Apple's policy, the company does violates Apple's ATT, which states that all apps must ask for user content before tracking them.

Interestingly, Meta doesn't use the same strategy on WhatsApp, the popular messaging app it owns.

While links also get shared a lot on WhatsApp, according to Krause's research, WhatsApp doesn't modify third-party websites in a similar way.

Krause suggests that Meta should do the same with Facebook and Instagram. If not, it would be wiser for the company to allow links to just open on Safari or other browser.

"It's what's best for the user, and the right thing to do."

About a week later, Kraus also found that TikTok is doing the same thing. According to him, installing TikTok is like installing a keylogger.

Published: 
16/08/2022