Facebook and Instagram Apps inject tracking codes into all websites viewed via in-app browser

[danielsteiner]

Today, Felix Krause, a vienna based software developer, released a blog post on a quite hefty privacy violation by Meta in it's Facebook and Instagram apps for iOS. 
By default, those apps open all links that are directly opened from those apps in an in-app browser which gives the company the option to monitor the whole sites content, including all user entered information like credentials. Additionally, the two apps inject the facebook tracking codes to further track the users interaction with the page or additional pages, that might be visited within the in-app browser via links on the original page. 

 

Further, technical information about this issue is available at Felix's Blog, linked in the sources. 

 

Summary

Facebook injects tracking pixel to all websites via in-app-browser

 

My thoughts

Since web traffic is encrypted, it can't be said for sure which information is beeing recorded by facebook. To prevent any personal data leaking, you should always open links in the system browser instead of the in-app-browser

 

Sources

iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser · Felix Krause (krausefx.com)
Facebook- und Instagram-Apps könnten alles mitlesen, was Nutzer auf externen Webseiten machen - Netzpolitik - derStandard.at › Web (German) 

[Arika]

Why do people still use Facebook and associated apps? It's clear they will do anything to get your personal information. 

More fines, more sanctions. Make them actually hurt instead of slapping them with a wet flannel whenever they violate privacy.

[CyberneticTitan]

6 minutes ago, Arika S said:

Why do people still use Facebook and associated apps? It's clear they will do anything to get your personal information. 

More fines, more sanctions. Make them actually hurt instead of slapping them with a wet flannel whenever they violate privacy.

It's hard to ignore Facebook Marketplace in the used market (though I guess this depends on where you live).

[Brooksie359]

Is this even news? I thought we long new Facebook was basically Spyware at this point. 

[TempestCatto]

I prefer my info go to the Russians instead of the Chinese

[mr moose]

But I have it on good authority that one of the reasons apples ecosystem is closed without options is so this can't happen.

 

So much for that argument.

[Vishera]

Should be classified as Spyware - Because that's what those applications do.

 

From Wikipedia:

Quote

Spyware is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privacy or endangering their device's security. This behavior may be present in malware as well as in legitimate software.

 

12 hours ago, TempestCatto said:

I prefer my info go to the Russians instead of the Chinese

But the data that Facebook and Instagram collect goes to the Americans...

[Rauten]

Ah, I was wondering when I would get my weekly reminder that Facebook should be burned to ashes.

[Brooksie359]

2 hours ago, Vishera said:

Should be classified as Spyware - Because that's what those applications do.

 

From Wikipedia:

 

But the data that Facebook and Instagram collect goes to the Americans...

No Facebook data goes to anyone willing to pay for it tbh. That primarily how they make money and honestly they will continue to do so as they make so much money doing this that all of the fines they get for breaking laws will just be put down as the cost of doing business. 

[Beerzerker]

16 hours ago, Arika S said:

Why do people still use Facebook and associated apps? It's clear they will do anything to get your personal information. 

More fines, more sanctions. Make them actually hurt instead of slapping them with a wet flannel whenever they violate privacy.

A bot developed by META itself admits this as truth concerning Zuckerberg and FB:
Meta's chatbot says the company 'exploits people' - BBC News

And while we're on the topic of spyware, Alexa is MS's own version of it and has been for years, if not decades now.

[grg994]

17 hours ago, Arika S said:

More fines, more sanctions. Make them actually hurt instead of slapping them with a wet flannel whenever they violate privacy.

I think this case is just way beyond what meant to be handled by government agencies and civilian courts.

 

Breaking into peoples browser sessions without consent should fall already into criminal law (as unauthorized access to computer systems) and should be prosecuted as a criminal act.

Actually court trying the people (managers) who supervised the deployment of such software functionalities seems like the only repulsive force.

 

I wonder what more should happen to see such a proceeding to an intentional privacy violation ones?

[Vishera]

8 minutes ago, grg994 said:

Breaking into peoples browser sessions without consent should fall already into criminal law (as unauthorized access to computer systems) and should be prosecuted as a criminal act.

They assume you have given them consent by installing the app,

Which in itself is a legal loop hole that needs to be fixed.

 

Wiretapping laws can definitely be revised to apply in such cases.

[grg994]

6 minutes ago, Vishera said:

They assume you have given them consent by installing the app,

Maybe, this cannot be stated for sure without a legal analysis.

Which is not the objective of the source krausefx.com article, but it gives a statement about it:

Quote

I do have proof that the Instagram and Facebook app actively run JavaScript commands to inject an additional JS SDK without the user’s consent, as well as tracking the user’s text selections.

 

[Vishera]

3 hours ago, Brooksie359 said:

No Facebook data goes to anyone willing to pay for it tbh. That primarily how they make money and honestly they will continue to do so as they make so much money doing this that all of the fines they get for breaking laws will just be put down as the cost of doing business. 

 

Quote

PRISM is a code name for a program under which the United States National Security Agency (NSA) collects internet communications from various U.S. internet companies.

 

The documents identified several technology companies as participants in the PRISM program, including Microsoft in 2007, Yahoo! in 2008, Google in 2009, Facebook in 2009, Paltalk in 2009, YouTube in 2010, AOL in 2011, Skype in 2011 and Apple in 2012.

 

France

On October 21, 2013, the French Foreign Minister, Laurent Fabius, summoned the U.S. Ambassador, Charles Rivkin, to the Quai d'Orsay in Paris to protest large-scale spying on French citizens by the U.S. National Security Agency (NSA). Paris prosecutors had opened preliminary inquiries into the NSA program in July, but Fabius said, "... obviously we need to go further" and "we must quickly assure that these practices aren't repeated."^[96]

 

Spain

At a meeting of European Union leaders held the week of 21 October 2013, Mariano Rajoy, Spain's prime minister, said that "spying activities aren't proper among partner countries and allies". On 28 October 2013 the Spanish government summoned the American ambassador, James Costos, to address allegations that the U.S. had collected data on 60 million telephone calls in Spain. Separately, Íñigo Méndez de Vigo, a Spanish secretary of state, referred to the need to maintain "a necessary balance" between security and privacy concerns, but said that the recent allegations of spying, "if proven to be true, are improper and unacceptable between partners and friendly countries".^[107]

 

New Zealand

In New Zealand, University of Otago information science Associate Professor Hank Wolfe said that "under what was unofficially known as the Five Eyes Alliance, New Zealand and other governments, including the United States, Australia, Canada, and Britain, dealt with internal spying by saying they didn't do it. But they have all the partners doing it for them and then they share all the information."^[105]

Edward Snowden, in a live streamed Google Hangout to Kim Dotcom and Julian Assange, alleged that he had received intelligence from New Zealand, and the NSA has listening posts in New Zealand.^[106]

 

 

[Senzelian]

20 hours ago, Arika S said:

It's clear they will do anything to get your personal information. 

Cause that's okay for me, but I don't use Facebook. Instagram on the other hand is a nice distraction from time to time.

[Brooksie359]

4 hours ago, grg994 said:

I think this case is just way beyond what meant to be handled by government agencies and civilian courts.

 

Breaking into peoples browser sessions without consent should fall already into criminal law (as unauthorized access to computer systems) and should be prosecuted as a criminal act.

Actually court trying the people (managers) who supervised the deployment of such software functionalities seems like the only repulsive force.

 

I wonder what more should happen to see such a proceeding to an intentional privacy violation ones?

The problem is that if you have enough money and power then it's almost hard to get criminally charged. Also its not like the government doesn't do exactly the same thing even though it should be illegal. I wouldn't be surprised if Facebook just gave info to the government in exchange for immunity. 

[CTR640]

Spybook and Spygram.

[williamcll]

That's just social networks for you.

[Quackers101]

uninstalls messenger app, but then everyone uses it and is only accessed there

[mr moose]

20 hours ago, Quackers101 said:

uninstalls messenger app, but then everyone uses it and is only accessed there

It's fucking shit isn't it?  Every time I try to explain to my family and friends about facebook et al and basic privacy/security etc I get told I am a conspiracy nut akin to flat earthers or anti vaxxers.  It's just getting ridiculous.

 

 

[Quackers101]

1 minute ago, mr moose said:

It's fucking shit isn't it?  Every time I try to explain to my family and friends about facebook et al and basic privacy/security etc I get told I am a conspiracy nut akin to flat earthers or anti vaxxers.  It's just getting ridiculous.

lol, but yeah there is so much stuff like this that happens. it's hard to remember everything, just like when everyone wanted to uninstall whatsapp when it came under fire.

[jagdtigger]

On 8/11/2022 at 12:12 AM, Arika S said:

More fines, more sanctions.

Its clear they became too big for those things to hurt. Just close down the thing and confiscate everything including any personal wealth that couldve come from the illegal activities.....  That should set a pretty good example and actual deterrent.

[CTR640]

46 minutes ago, jagdtigger said:

Its clear they became too big for those things to hurt. Just close down the thing and confiscate everything including any personal wealth that couldve come from the illegal activities.....  That should set a pretty good example and actual deterrent.

It could be me being cynical but I doubt that will happen. They've become waaaay too big for the govs/authorities to slap them. They WILL and KEEP their eyes looking the other way and let them continue this shit, like happened for so many countless times. Fecesbook drills the govs in the butt and the govs drills the citizens in the butt in the process.

[jagdtigger]

26 minutes ago, CTR640 said:

They've become waaaay too big for the govs/authorities to slap them.

They could if they wanted to. An official "freeze all assets of xy company and a list of ppl" order from the tax agency/court to the correct institutions and they are penny-less.....

[CTR640]

51 minutes ago, jagdtigger said:

They could if they wanted to. An official "freeze all assets of xy company and a list of ppl" order from the tax agency/court to the correct institutions and they are penny-less.....

Or they're barking dawgs that don't bite. Too many business relies on fecesbook and thus, freezing all the assets would cause a lot of trouble. Even if they wanted to, they can't and won't.