Meta injecting code into websites to track its users, study finds

Meta, the owner of Facebook and Instagram, has rewritten the websites its users visit, allowing the company to track them around the web after clicking links in its apps, according to a new study by a former Google engineer.

Both apps took advantage of the fact that users who click on links are redirected to web pages in an “in-app browser”, controlled by Facebook or Instagram, rather than being sent to the web browser of their choice. , such as Safari or Firefox.

“The Instagram app injects its tracking code into every website displayed, including when you click on ads, allowing them to [to] monitor all user interactions, such as every button and link typed, text selections, screenshots, as well as all form inputs, such as passwords, addresses, and credit card numbers,” says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

In a statement, Meta said the injection of a tracking code obeyed users’ preferences about whether or not to allow apps to track them, and that it was only used to aggregate the data. before being applied for targeted advertising or measurement purposes for users who have opted out. of such monitoring.

“We intentionally developed this code to honor the [Ask to track] choice on our platforms,” a spokesperson said. “The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. The code is injected so that we can aggregate conversion events from pixels. »

They added: “For purchases made through the in-app browser, we ask for user consent to save payment information for autofill purposes.”

Krause discovered code injection by creating a tool that could list all the additional commands added to a website by the browser. For normal browsers and most apps, the tool doesn’t detect any changes, but for Facebook and Instagram, it finds up to 18 lines of code added by the app. These lines of code appear to search for a particular cross-platform tracker kit and, if not installed, instead call Meta Pixel, a tracking tool that allows the company to track a user across the web and create a precise profile of his interests.

The company does not disclose to the user that it rewrites web pages in this way. According to Krause’s research, no such code is added to WhatsApp’s in-app browser.

“JavaScript injection” – the practice of adding additional code to a web page before it is displayed to a user – is often classified as a type of malicious attack. Cybersecurity firm Feroot, for example, describes it as an attack that “allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information ( PII) or payment information”.

There is no suggestion that Meta used its Javascript injection to collect such sensitive data. In the company’s description of the Meta Pixel, which is usually voluntarily added to websites to help companies advertise to users on Instagram and Facebook, it says the tool “allows you to track the visitor activity on your website” and may collect related data.

It’s unclear when Facebook started injecting code to track users after clicking on links. In recent years, the company has had a vociferous public confrontation with Apple, after the latter introduced a requirement for app developers to seek permission to track users across apps. After the launch of the prompt, many Facebook advertisers found themselves unable to target users on the social network, which ultimately led to $10 billion in lost revenue and a 26% drop in the price of Facebook. company stock earlier this year, according to Meta.

#Meta #injecting #code #websites #track #users #study #finds