Fastlane CEO Felix Krause has revealed(Opens in the fresh window) how Facebook along with Instagram’s browsers for in-app use insert JavaScript in third-party websites.
Krause initially stated that the in-app browsers were introducing the Meta Pixel the Meta Pixel, which Meta describes(Opens in New window) as “a fragment of JavaScript code which allows you to monitor the activity of your visitors on your site,” but has since changed his story to state that the mobile apps of the social network company’s applications are injecting a script known as “pcm.js(Opens in an entirely New window)” rather than. A statement within that script states how it’s been “developed to respect the privacy of users and their [App tracking Transparencyoptions” when they use Facebook as well as Instagram.
The App Tracking Transparency is an application framework Apple introduced in iOS 14.5 which requires app developers to obtain permission for collecting information from their users. Meta has frequently criticized the framework, and informed Facebook as well as Instagram its users it depends on the collection of tracking data–or at a minimum the revenues from advertising to ensure that its services remain free. The applications must respect user requests not to be monitored, but Meta claims that’s the reason its browsers use with the “pcm.js” software.
“This code is added to web browsers that are in-app to aid in the collection of conversion events from pixels set up by websites of businesses and before these events are used for targeted marketing or for measurement,” Meta says in a post about the code. “No other activity of the user is monitored by this Javascript.”
Krause states that “injecting custom scripts on third-party websites lets them monitor every interaction of users, including each button and link clicked as well as screenshots, text choices and also any inputs on forms, such as passwords, addresses, or the numbers of credit cards.”
The decision of Meta to add JavaScript through Facebook as well as Instagram’s browsers for in-app use are abound. Krause has said he reported this behaviour through the bug bounty system of Meta. He was informed within a couple of hours that the engineers at Meta could replicate an “issue,” and then… did not hear anything for around 11 weeks. It’s unclear what caused the issue. Meta did not provide additional details about this procedure (or why it classified JavaScript injection as an “issue” JavaScript infiltration as an “issue”) at the time Krause released his findings.
Meta replied to a comment request by stating: “These claims are false and do not accurately reflect how Meta’s in-app browser and its Pixel operate. We designed this program to accommodate users’ App Choices regarding Tracking Transparency for our apps.” The statement was released following Krause revised his article to clarify that in-app browsers aren’t introducing Meta Pixels. Meta Pixel, however, and the original request for comments specifically included the “pcm.js” script.
The company hasn’t responded to a request for more details on what information is collected by the “pcm.js” script, and how the script stops event information of using the Meta Pixel from being used to track users or if the Facebook as well as the Instagram in-app browsers also inject other scripts, too.
It appears that Meta has developed an application in which it is required to be engaging in unsavory behavior by injecting customized scripts on every third-party website that is visited by Facebook and Instagram’s billions of users via their apps’ in-app browsers in order to honour the users’ requests to not be monitored.
