The analysis suggests that every time a user clicks on a link in the app, they will be able to see all of their interactions, text selections, and even private credit card details.
According to an analysis done by Felix Krause, both Facebook andInstagram use their own in-app browsers, rather than the one offered by Apple. Most apps use Apple'sSafari for loading websites, but Facebook andInstagram have their own browsers that load websites within the app.
All links and websites shown are injected with a tracking Javascript code named "MetaPixel", which is still based on WebKit. Meta has the freedom to track users' interactions without their consent.
This allows Instagram to monitor everything happening on external websites without the consent from the user, nor the website provider.
The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them monitor all user interactions, like every button & link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.
It takes a reasonable amount of effort for companies like Meta to develop and maintain their own in-app browser instead of using Apple's built-inSafari. On its developer portal, Meta claims it has a tool called "MetaPixel" that can be used to monitor visitor activity on your website. There is no evidence that Meta has gathered user data it can collect. The author writes:
Does Facebook actually steal my passwords, address and credit card numbers? No! I didn't prove the exact data Instagram is tracking, but wanted to showcase the kind of data they could get without you knowing. As shown in the past, if it's possible for a company to get access to data for free, without asking the user for permission, they will track it.
This practice is not in line with Apple's policy. All apps must ask for user consent before they can be tracked.
Meta has resisted Apple's goal of giving users a choice on whether or not they want to be tracked. Meta took out a full page newspaper ad in December of 2020 attacking Apple. Meta said they've confirmed the issue but haven't responded since, according to the man. He gave Meta a warning before going public with his findings.