Security Risks of Embedded Browsers in Facebook and Instagram
Security researcher Felix Krause reveals that Facebook and Instagram use embedded browsers in their apps to track user activity on third-party sites, posing privacy risks. This article examines how these browsers work, the information they collect, and how Apple’s ATT helps to protect iOS users' data.
2024-01-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
How Facebook and Instagram’s Embedded Browsers Put Your Privacy at Risk
Facebook and Instagram applications use embedded browsers that automatically open when you click on external links, displaying web pages within the app instead of in a separate browser like Safari or Chrome. This practice, which was highlighted by security researcher Felix Krause, allows Facebook and Instagram to track your online activity on third-party websites, presenting significant privacy risks.
Why Embedded Browsers are Used
Typically, when you click on a link within an app, it opens in a default web browser. However, Facebook and Instagram create a built-in browsing experience by embedding an internal browser to display these sites. While this approach offers a seamless in-app experience, it also allows the apps to run custom JavaScript code on any third-party websites you visit through these browsers. This technique lets the host app observe user interactions such as clicks, scrolls, and even sensitive input like credit card information.
What Information Facebook and Instagram Can Track
When using the in-app browser, Facebook and Instagram gain the ability to monitor a wide range of user interactions, including:
- Passwords entered on login pages,
- Home addresses or other sensitive details filled out in forms,
- Credit card information during online purchases,
- On-screen selections or menus clicked, and
- Text inputs in any form fields.
This capability allows Facebook and Instagram to collect extensive user data, tracking your digital footprint across different websites without requiring your explicit consent.
The Role of JavaScript in Data Collection
Facebook and Instagram achieve this data collection by injecting JavaScript code into the web pages loaded through their embedded browsers. This script can track user interactions on these external sites. Any data entered on a page viewed in the in-app browser can potentially be captured and sent back to Facebook or Instagram, allowing them to collect data about your browsing habits and behavior.
For example, if you click on an ad within Instagram and complete a purchase on the advertiser’s website, Facebook may collect information about that transaction directly through the embedded browser.
Apple’s Response: App Tracking Transparency (ATT)
To protect user privacy, Apple released the App Tracking Transparency (ATT) framework in 2021, requiring iOS apps to request user consent before tracking their data across other apps and websites. This feature, introduced in iOS 14.5, is a critical safeguard against unwanted tracking. With ATT, iOS users must be prompted by apps to allow tracking, giving them greater control over their data.
How ATT Works to Block Data Collection
ATT requires that apps:
- Request permission from users before tracking them across third-party websites.
- Offer transparency about the types of data they wish to collect and for what purpose.
If a user declines tracking, iOS restricts the app’s ability to gather data about their activity on other sites, providing users with more control over their privacy.
Despite ATT, however, Facebook and Instagram can still track user interactions within their embedded browsers, as this monitoring occurs directly in the app rather than across external applications. Therefore, while ATT mitigates some privacy concerns, embedded browsers remain a loophole for in-app data collection.
How to Protect Yourself from In-App Browser Tracking
Given the potential privacy risks, here are some steps to safeguard your data when using apps like Facebook and Instagram:
- Avoid clicking on external links within the app if possible.
- Copy links and open them in a separate browser like Safari or Chrome.
- Use iOS settings to manage permissions, opting out of app tracking requests when prompted.
- Stay informed about how apps collect and use data by regularly reviewing app privacy policies
While ATT has provided a layer of protection against cross-app tracking, users must still be vigilant about data collection practices within in-app browsers. This proactive approach can help limit the data that social media platforms can gather from your interactions.
Editor’s note: This blog was updated November 13, 2024
SHARE ON