Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Users of Apple’s Instagram and Facebook iOS apps are being warned that both use an in-app browser that allows parent company Meta to track ‘every single tap’ users make with external websites accessed via the software.

Researcher Felix Krause, who outlined how Meta tracks users in a blog posted Wednesday, claims that this type of tracking puts users at “various risks”. He warns both iOS versions of the apps can “track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap” via their in-app browsers.

iOS users’ concerns over tracking were addressed by Apple’s 2021 release of iOS 14.5 and a feature called App Tracking Transparency (ATT). The added control was intended to require app-developers to get the user’s consent before tracking data generated by third-party apps not owned by the developer. Krause said that both iOS apps Facebook and Instagram are using a loophole to bypassed ATT rules and track website activity within their in-app browsers via the use of a custom JavaScript code used in both in-app browsers. That means, when an iOS user of Facebook and Instagram click on a link within a Facebook and Instagram post (or an ad), Meta launches its own in-app browser which can then track what you do on external sites you visit.

“The Instagram [and Facebook] app injects their JavaScript code into every website shown, including when clicking on ads. Even though pcm.js doesn’t do this, injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” Krause wrote.

A PCM.JS code, according to the researcher, is an external JavaScript file injected into websites viewed within the in-app browser. The code is used by both apps and enables both apps to build a communication bridge between in-app website content and the host app. Additional technical information regarding the PCM.JS can be found here.

Meta responded to Krause’s research with a statement published by The Guardian:

“We intentionally developed this code to honour people’s [Ask to track] choices on our platforms… The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels.. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

The use of in-app browsers, whether it be Meta’s or another company’s, presents a host of privacy risks, according to Krause. For starters it could allow a company to collect browser analytics, such as taps, input, scrolling behavior and copy-and-paste data without unambiguous user consent.

In-app browsers could also be used as a loophole by a firm to steal user credentials and API keys used in host services or inject ads and referrals links to siphon ad revenue from websites, the researcher noted. While citing these as examples, Krause is not accusing Meta of any of these actions.

“As my understanding goes, all of [these privacy concerns] wouldn’t be necessary if Instagram were to open the phone’s default browser, instead of building & using the custom in-app browser,” he wrote.

While Krause’s research has sparked outrage with privacy activists and he is careful to temper his research with answers to questions raised by his research.

Krause offers advice to privacy-minded users of the apps and suggests that, “whenever you open a link from Instagram (or Facebook or Messenger), make sure to click the dots in the corner to open the page in Safari instead.” Safari, he points out, already blocks third party cookies by default.

The researchers is also careful to point out that he does not have a precise list of data both apps send back to Meta. “I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JavaScript SDK without the user’s consent, as well as tracking the user’s text selections,” he wrote.

In July, Apple upped its privacy game and announced a feature called Lockdown Mode that is said offered as “an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.”

The researcher filed what is called an Open Radar Community Bug Report with Apple last month claiming “iOS Lockdown Mode allows custom in-app webviews, host apps can steal information.”

Apple responded within a comment to the report simply stating “Thanks for your report. This isn’t what Lockdown Mode is for.”

Meta responded directly to Krause’s report stating the PCM.JS JavaScript is used to “helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.”

Meta explained to Krause that it respects Apple’s App Tracking Transparency (ATT) rule, which requires app developers to get permission before tracking. The researcher notes that opting out of Meta’s in-app browser tracking is dependent on a third-party website’s use of what is called a Meta Pixel. A Meta Pixel is a “a snippet of JavaScript code that allows you to track visitor activity on your website,” according to a Meta developer description.

The researcher acknowledges that Meta is following ATT rules.

“According to Meta, the script injected (pcm.js) helps Meta respect the user’s ATT opt out choice, which is only relevant if the rendered website has the Meta Pixel installed,” Krause wrote.

Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.

A developer appears to have divulged credentials to a police database on a popular developer forum, leading to a breach and subsequent bid to sell 23 terabytes of personal data on the dark web.

Hackers with Amazon users’ authentication tokens could’ve stolen or encrypted personal photos and documents.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join thousands of people who receive the latest breaking cybersecurity news every day.

Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a us… https://t.co/2sYqIyQBLF

Get the latest breaking news delivered daily to your inbox.

The First Stop For Security News

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.