How do social media in-browsers affect your online privacy?


As new research on social media in-browsers shows, there are hidden web trackers that even the best VPN services can’t prevent.

Felix Krause, a former Google engineer, reported (opens in a new tab) that people who open web pages directly from their Facebook and Instagram app could put their personal information at risk. Indeed, Meta seems to inject additional lines of code on websites to better track users’ online activities.

In another report published a few days later, Krause explained (opens in a new tab) that the popular video platform TikTok also uses the same type of JavaScript injections for similar purposes.

“I don’t have a list of specific data that Instagram sends home. I have evidence that the Instagram app and Facebook are actively running JavaScript commands to inject additional Javascript SDK without user consent, as well as tracking user text selections,” Krause wrote.

He explains that these apps inject their JavaScript code into every website displayed, even on advertisements.

“Even though the injected script currently does not, running custom scripts on third-party websites allows them to monitor all user interactions, such as every button and link typed, text selections, screenshots , along with all form inputs, like passwords, addresses, and credit card numbers,” he said.

Additionally, the TikTok iOS app has been shown to be able to “subscribe” to all keyboard inputs. This means that it can potentially monitor whatever you click on your screen while using the app.

See more

Meta and TikTok responded quickly to such allegations.

Although it did not reveal the practice to its users in advance, Meta said that the injected script helps Meta respect the user’s ATT. [App Tracking Transparency] withdrawal choice.

“The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. The code is injected so we can aggregate conversion events from pixels,” a spokesperson for Meta told The Guardian. (opens in a new tab).

TikTok also confirmed the existence of such features, Forbes reported (opens in a new tab). However, they claim not to use JavaScript injection to aggressively track users.

“Like other platforms, we use an in-app browser to provide the best user experience, but the JavaScript code in question is only used for debugging, troubleshooting, and performance monitoring of that experience. , like checking how fast a page is loading or if it’s crashing,” spokeswoman Maureen Shanahan told Forbes.

What is JavaScript injection?

Javascript injection defines the practice of adding an extra line of code to a web page before opening it to a user.

Since it has the potential to allow manipulation of websites or other web applications, it is usually used by hackers or other malicious actors to send cyber attacks. Like malware injection, these attacks aim to collect sensitive user data.

As Krause explains in his blog posts, this practice allows both Meta and TikTok to track users’ activities after they leave the social media app: from the page they visit to what they type on the device keyboard and the screenshot they take.

Even though the companies behind these popular social media platforms have assured that they do not use JavaScript injection for malicious purposes, its potential dangers cannot yet be verified.

What is certain is that Meta, for example, saw a record drop in daily users and a 26% drop in the company’s share price (opens in a new tab) This year. The latter came after Apple introduced a stricter policy against cross-host tracking. This means app developers now need to request permission to track users in apps.

Krause also pointed out that Safari, Google Chrome, and Firefox have all revamped their third-party cookie policies lately.

How to protect yourself from in-app browser tracking

Whether or not social media developers use in-app browser links to improve their control over users, there are several ways to simply avoid this practice.

1. Open the URL directly on the browser

A quick way to be sure to evade JavaScript injection via in-app browser links is to not click them. You can either select the “Open tab in your browser” option or copy and paste the URL to open it in your browser of choice.

2. Use the web version of the social media app

As social networks also have a web version of their apps, you can consider using that instead of the mobile app to escape the dangers of in-app browser pages.

3. Check what kind of information your apps keep about you

There is also a way to find out exactly which JavaScript commands your applications have sent. Only available for iOS users at the moment, share it (opens in a new tab) link somewhere in the app (you can send it to a friend as a DM, for example.) Once you’ve done that, tap the link you’re sending to open it. A detailed report listing the executed JavaScript injections will then appear for you to view.

Hand increasing protection level by turning a knob

(Image credit: Shutterstock)

If you’re worried about your general online privacy, you can also use additional security software to protect your sensitive information.

You can replace your data-intensive Google Chrome with one of the more secure browsers, for example. You should also consider securing your overall anonymity online with a secure VPN service.

One of the best cheap VPN services, Surfshark, even offers a comprehensive security package that includes four cybersecurity tools with one subscription. Surfshark One comes with its own vpna data leak detection systema private search engine and anti-virus Software.


Comments are closed.