The internal browser of Instagram and TikTok can spy on what we do on any website. there is little solution

  • 25

Felix Krause, a researcher, has discovered that applications such as Instagram, Facebook or TikTok can potentially track anything we do on a web page that we are seeing in the browsers integrated in their mobile applications. Although Google and Apple are doing a lot to limit the tracking that an application or website can make of us in terms of the use of cookies or identifiers, the reality is that technically there are parts that are beyond your control.

And these applications take advantage of something that they handle in mobile operating systems: integrated browsers. Unlike apps like WhatsApp, Twitch, Spotify or Slack, which open Chrome or Safari by default, system browsers, TikTok or Instagram use their own browser. And it is with them that they can choose not to alter the websites that we visit through them, or to modify their operation and/or appearance with JavaScript injection. Let’s see what it means.

21 INSTAGRAM TRICKS – Tutorial with all the secrets!

Know every step you take on a website (and potentially collect it)


On the left we can see everything that the code that Instagram injects can do. In the middle, we can see how to avoid this tracking: by choosing to open with the browser, in this case Safari. On the right, we see how the web opened in Safari does not detect code injection, as it should.

If you’re worried about what each built-in browser can do when you visit a website, Krause has created, an open source website with which we can explore whether applications inject JavaScript code, and what they are capable of detecting on our screen. It is the web that we have used for the captures.

According to Krause, when we open a link that they send us by direct message on Instagram, for example, or when we click on an advertisement that interests us, their browser executes the aforementioned JavaScript injection.

At first, Krause said that the code didn’t do things like track links we clicked, etc, but then he mentions that after improving JavaScript detection, has found that it is capable of detecting every touch on a link, image, and other components, as well as the selection of a text field, etc..

The researcher also recalls “The fact that an application injects JavaScript into external websites it doesn’t mean the app is doing something malicious“. The problem is that we can not know. What we can know is that through Safari, Chrome or the extensions that can be used in these browsers to have an appearance of integrated browser, these problems do not exist.

As Meta told Krause, they recognize to be executing code. However, they argue that the JavaScript code they are injecting (pcm.js) is used to respect user decisions regarding App Tracking Transparency, the policy that Apple has since iOS 14.5 to prevent applications from tracking us.


This is all that Instagram can know about a website with the code it injects. Which does not mean that they actually collect it.

In the case of TikTok, Krause has detected that the social network can, through its integrated browser, see every text entry that occurs on a web page opened with it. You can also see every button, link or image that is touched on the screen, and it has a function to detect details about the elements that have been touched.

The mega-guide to privacy and security on Facebook

As in the case of Instagram, we cannot know if TikTok actually obtains the potential information that it could obtain with such tools, and if in the case of doing so they apply treatment on them. What we know is that they have the possibility to do so by not using the default browser and introducing modifications. depending on the medium Forbes, the company acknowledges that the functions exist and that they inject code, while stating that they do not use them. According to spokeswoman Maureen Shanahan:

“Like other platforms, we use an embedded browser in the app to provide an optimal user experience, but the JavaScript code in question is used only for debugging, troubleshooting, and performance monitoring of that experience, such as checking how fast a page loads. page or if it fails”.

as collected motherboarda TikTok spokesperson has told them the following:

“The report’s conclusions about TikTok are incorrect and misleading. The researcher specifically says that the JavaScript code doesn’t mean our app is doing anything malicious, and admits that he has no way of knowing what kind of data our in-app browser collects.” Contrary to what the report states, we do not collect keystrokes or text input through this code, which is used solely for debugging, troubleshooting, and performance monitoring.”

Translation done with the free version of the translator

What can we users do?


Opening Instagram links in Safari or another browser is the solution to avoid potential app tracking.

Given the possibility that what we do is recorded, who really cares about their privacy (or at least wants to protect it as much as possible), what you can do is open links outside internal browsers.

That is, when there is an “Open in Safari” or “Open in Chrome” button, the ideal is to use that button, above all I saw the content that we are going to see is more sensitive for us than the account. If there is no such possibility, the ideal is to copy the link, and open it manually outside. Some applications let us choose which browser to open the links from their application, but they are few.


Here’s what Krause’s tool tells us about TikTok’s internal browser.

The problem is that, for example, TikTok doesn’t even allow the option to “Open in Safari”with which users have somewhat less freedom of action.

From Xataka we have contacted TikTok and Meta to know their version. We will update the article when we receive a response.

Felix Krause, a researcher, has discovered that applications such as Instagram, Facebook or TikTok can potentially track anything we do…

Felix Krause, a researcher, has discovered that applications such as Instagram, Facebook or TikTok can potentially track anything we do…

Leave a Reply

Your email address will not be published.