Facebook’s in-app browser injects JavaScript into third-party websites

Fastlane founder Felix Krause reveals(opens in new window) Facebook and Instagram in-app browsers injecting JavaScript into third-party websites.

Krause originally stated that the in-app browser is injecting the Meta Pixel.(opens in new window) Described as “a snippet of JavaScript code that allows you to track visitor behavior on your website,” he later updated his report to state that the social networking company’s mobile app was called “pcm.js”. It states that it is inserting a script that is identified.(opens in new window)A comment in that script reads, “Respect people’s privacy, [App Tracking Transparency] When using Facebook or Instagram,

App Tracking Transparency is a framework introduced by Apple in iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework, telling Facebook and Instagram users that it relies on tracking data, or at least the advertising revenue it supports, to keep the service free. , it must honor user requests to avoid being tracked, and the company says that’s why browsers inject “pcm.js” scripts.

“This code is inserted into the in-app browser and aggregates conversion events from pixels that businesses have set up on their websites before allowing those events to be used for targeted advertising and measurement purposes.” Meta said in a comment to the script. “This JavaScript does not track other users’ girlfriend activities.”

“By inserting a custom script into a third-party website, all users can tap every button or link, select text, screen shots, fill out forms such as passwords, addresses, credit card numbers, etc.,” said Krause. You will be able to monitor interactions.” He says Meta doesn’t appear to be doing anything all that nefarious, but the company still criticizes the report, and Meta’s director of policy communications Andy Stone said on his Twitter: said like this.

Tweet(opens in new window)

There are many questions about Meta’s decision to inject JavaScript through the in-app browsers of Facebook and Instagram. Krause said he reported the behavior through Meta’s bug bounty program and within hours he told a Meta engineer he could reproduce the “problem” and then…hadn’t heard back for about 11 weeks. I’m here. It’s not clear why Meta didn’t provide additional information about this practice (or why it considered JavaScript injection a “problem”) until Krause published the report.

Meta made the following statement in response to a request for comment: This statement was provided after Krause updated his report to say that the in-app browser wasn’t inserting meta-his pixels, but the first request in the comments specifically mentioned “pcm.js” A script was mentioned.

js” script, how the script prevents event data from meta pixels from being used for tracking purposes, or how Facebook uses Instagram’s in-app Browsers also inject other scripts.

For now, Meta appears to be creating a system that requires deliberate engagement in questionable behavior. Injects custom his scripts into all 3rd party her websites accessed by over billions of Facebook and Instagram users via in-app browsers. Chase.