LONDON: Meta is accused of altering website codes its users view, enabling the tech giant to follow them throughout the web after they click links in its apps, new research revealed on Thursday.

Felix Krause, a former Google employee who conducted the research, said that Meta exploits the “in-app browser” — a feature that allows Facebook and Instagram users to visit a third-party website without leaving the platform — to “inject” the tracking code.

“The iOS Instagram and Facebook app render all third-party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses to every single tap,” Krause said.

“Injecting custom scripts into third-party websites allows them to monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers,” he added.

This practice of adding extra code to a webpage before it is displayed to a user is called “Javascript injection,” and in most cases is considered a type of malicious attack, Krause said.

His investigation concentrated on Facebook and Instagram for iOS, after he discovered the code injection by chance while developing a tool that could list all the extra commands added to a website by the browser.

Starting with iOS 14.5, Apple introduced App Monitoring Transparency, which enables users to choose whether or not to enable app tracking when they first open an app. The feature, according to Meta, could impact the company’s revenue by more than $10 billion.

Meta said that the injected tracking code respected users' preferences on ATT.

“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes,” a spokesperson said.

“We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels. For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill.”

Although there is no indication that Meta employed Javascript injection to gather sensitive data, the company does not make this information known to users. 

Krause also said that WhatsApp’s in-app browser does not have the code. As a result, he advised that Meta should do the same with Facebook and Instagram, or redirect users to another browser to open links.

“It’s what’s best for the user, and the right thing to do,” he said.