Meta-owned photo-sharing platform Instagram is capable of tracking its users' actions, text choices and even text input, such as passwords and confidential credit card information, if they visit a link inside the app, says a new report.

The analysis conducted by Felix Krause found that both Instagram and Facebook on iOS use their own in-app browser rather than the one offered by Apple for third-party apps.

Most apps use Apple's Safari for loading websites, but Instagram and Facebook have been using their own in-app browser to load websites within the app, reports MacRumors.

With their custom-built browser, still based on WebKit, Instagram and Facebook inject a tracking JavaScript code-named "Meta Pixel" into all links and websites shown. With that code, Meta has total freedom to track users' interactions without their explicit consent, Krause found.


This allows Instagram to monitor everything happening on external websites without the user's consent, or the website provider's, the report said.

The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them to monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses, and credit card numbers.


As Krause pointed out, it takes reasonable effort for companies like Meta to develop and maintain their own in-app browser rather than use Apple's built-in Safari.

On its developer portal, Meta claims "Meta Pixel" is designed to "track visitor activity on your website" by monitoring all events a user does within their custom-built browser. There is no evidence that Meta, which owns Instagram, has actively gathered the user data it is capable of collecting.