Facebook's In-App Browser Injects JavaScript Into Third-Party Websites

pcmag.com:

Fastlane founder Felix Krause has revealed(Opens in a new window) that Facebook and Instagram's in-app browsers inject JavaScript into third-party websites.

Krause originally said the in-app browsers were injecting the Meta Pixel, which Meta describes(Opens in a new window) as "a snippet of JavaScript code that allows you to track visitor activity on your website," but has since updated his report to say the social networking company's mobile apps are injecting a script identified as "pcm.js(Opens in a new window)" instead. A comment within that script explains that it was "developed to honor people's privacy and [App Tracking Transparency] choices" while they use Facebook and Instagram.

App Tracking Transparency is a framework Apple introduced with iOS 14.5 that requires developers to request permission to collect tracking data from their users. Meta has repeatedly criticized the framework and told Facebook and Instagram users that it relies on tracking data—or at least the advertising revenues it supports—to keep its services free. Its apps still have to honor user requests not to be tracked, however, and the company says that's why its browsers inject the "pcm.js" script.

"This code is injected in in-app browsers to help aggregate conversion events from pixels setup by businesses on their website, before those events are used for targeted advertising or measurement purposes," Meta says in a comment on the script. "No other user activity is tracked with this javascript."

Krause says "injecting custom scripts into third party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers."