If we say that social networks collect endless information from their users by permanently monitoring their online activity, we do not discover anything new. What is surprising is how more and more tools are available to do so, even though users have not given their consent. Thus, for example, it has been found that integrated web browser in Instagram and Facebook is also a danger to our privacy.
Felix Kraus, developer of the Fastlane automation application, has published a detailed report in which it exposes how platforms that are used by up to billions of people around the world use this method to extract information behind their backs. And this happens on both Android and iOS.
The report in question focuses on the built-in browser of Facebook, Instagram and Messenger, three of the most popular Meta apps. However, it is also fair to point out that they are not the only social networks that have tools of this type. Twitter also uses a similar solution when users open a link included in a tweet, although Krause does not specify whether it falls under the same practices as Mark Zuckerberg’s company.
What browsers integrated into apps like Facebook and Instagram propose is that users can access linked content without having to leave social networks. It is comfortable? Yes very. But it also represents a very serious danger for the privacy of our personal information, as it was discovered.
What those platforms do when you open a link without using a “conventional” browser, like Safari or Chrome, is inject a tracer. It records each of the interactions that people make on an external website. According to Krause, this ranges from tapping on an ad to opening another link, selecting text or taking a screenshot, among other actions.
And as if that wasn’t enough, Instagram and Facebook’s built-in browser might also be able to see your login details when accessing a platform under registration and manually entering them into a form. The same with the data of a credit card when making a purchase. The developer explains that it is very likely that Meta does not track or extract such specific personal databut that he could easily do it without the public noticing.
“I don’t have a list of precise data that Instagram pulls. I have evidence that the Instagram and Facebook apps actively execute JavaScript commands to inject an additional JS SDK without user consent, in addition to tracking user text selections. If Instagram is already doing this, they could also inject any other JS code in. The Instagram app itself is well protected against man-in-the-middle attacks, and just by modifying the Android binary to remove certificate pinning and running it in a simulator, I was able to inspect part of your web traffic.
Even then, most real data had another layer of encryption/compression. It’s clear that they really don’t want you to investigate what kind of data is being sent back to the API.”
Felix Krause, on the privacy dangers of browsers embedded in social networks.
What tracker are they using and what can we do to prevent it?
In his tests, Krause found that the tracker used by the built-in browser of Facebook and Instagram is the infamous Meta Pixel. It has recently made headlines for being used on US hospital websites to extract information from patients and show them advertisements based on their illnesses. This has earned Mark Zuckerberg a couple of new lawsuits, but, as the saying goes, what does one more spot do to the tiger?
Although the privacy problems of browsers integrated into social networks affect both Android and iOS, in the case of Apple’s operating system it is a little more noticeable. Let’s not forget that the Cupertinos have taken a serious approach to protecting their users from unwanted tracking with the implementation of App Tracking Transparency. This has earned Meta complaints, though it hasn’t taken long to find an alternative to continue tracking people.
The main recommendation that Krause gives to avoid this inconvenience is quite simple. When opening an external link from Instagram or Facebook, do not do it with your integrated browser to avoid loading the unwanted tracker. After all, it can be opened from Chrome, Safari or another application from the same screen.
You can also choose to copy the link and open it directly in a conventional browser. And if you’re looking for an even more effective solution, you can skip the Facebook or Instagram apps and opt instead for their mobile web versions.