Overview:
The practice was active until early June 2025, when both Meta and Yandex, after being caught with their hands in the proverbial PII cookie-jar, ceased these behaviors following public disclosure [1][2][3].
Key Findings
1. Covert Web-to-App Tracking via Localhost on Android
· Meta and Yandex embedded scripts (Meta Pixel and Yandex Metrica) on millions of websites.
· When a user visited such a site in a mobile browser on Android, the script would communicate directly with native apps (like Facebook, Instagram, or Yandex Maps) installed on the same device.
· This communication happened via localhost sockets—special network ports on the device that allow apps to talk to each other without user knowledge or consent [1][3].
2. How the Tracking Worked
· Meta Pixel:
o The Meta Pixel JavaScript sent the browser’s _fbp cookie (used for advertising and analytics) to Meta apps via WebRTC (using STUN/TURN protocols) on specific UDP ports (12580–12585).
o Native Facebook and Instagram apps listened on these ports in the background, received the _fbp value, and linked it to the user’s app identity, effectively de-anonymizing web visits[1][3].
o This bypassed protections like cookie clearing, incognito mode, and Android permission controls.
· Yandex Metrica:
o Yandex’s script sent HTTP/HTTPS requests with tracking data to localhost ports (29009, 29010, 30102, 30103), where Yandex apps listened.
o The apps responded with device identifiers (e.g., Android Advertising ID), which the script then sent to Yandex servers, bridging web and app identities[1].
3. Privacy and Security Implications
· This method allowed companies to:
o Circumvent privacy mechanisms such as incognito mode, cookie deletion, and even Android’s app sandboxing.
o Link browsing habits and cookies with persistent app/user identifiers, creating a cross-context profile of the user.
o Potentially expose browsing history to any third-party app that listened on those ports, raising the risk of malicious exploitation[1][3].
4. Prevalence
· Meta Pixel was found on over 5.8 million websites; Yandex Metrica on nearly 3 million.
· In crawling studies, thousands of top-ranked sites were observed attempting localhost communications, often before users had given consent to tracking cookies[1].
5. Timeline and Disclosure
· Yandex has used this technique since 2017; Meta adopted similar methods in late 2024.
· Following responsible disclosure to browser vendors and public reporting in June 2025, both companies stopped the practice. Major browsers (Chrome, Firefox, DuckDuckGo, Brave) have since implemented or are developing mitigations to block such localhost abuse[1][3]
Technical Details
|
Aspect |
Meta/Facebook Pixel |
Yandex Metrica |
|
Communication Method |
WebRTC STUN/TURN to UDP ports (12580–12585) |
HTTP/HTTPS requests to TCP ports (29009, etc.) |
|
Data Shared |
_fbp cookie, browser metadata, page URLs |
Device IDs (AAID), browser metadata |
|
Apps Involved |
Facebook, Instagram |
Yandex Maps, Browser, Navigator, etc. |
|
User Awareness |
None; bypassed consent and privacy controls |
None; bypassed consent and privacy controls |
|
Platform Affected |
Android only (no evidence for iOS or desktop) |
Android only (no evidence for iOS or desktop) |
|
Risk of Abuse |
High: enables de-anonymization, history leakage |
High: enables de-anonymization, history leakage |
Broader Implications
· Bypassing Privacy Controls:
This method undermined the effectiveness of cookie controls, incognito/private
browsing, and Android’s app isolation, showing that even sophisticated privacy
tools can be circumvented by creative inter-app communications[1][3].
· Need for Platform-Level Fixes:
Browser and OS vendors are now patching this specific exploit, but the
underlying issue—unrestricted localhost socket access—remains a systemic risk
on Android. The researchers call for stricter platform policies and user-facing
controls for localhost access[1].
· User and Developer Awareness:
Most website owners were unaware their sites enabled this tracking. End-users
had no indication or control over the process. The lack of transparency and
documentation from Meta and Yandex is highlighted as a major concern[1].
Conclusion
The research revealed a disturbing tracking vector that allowed Meta and Yandex to link users’ web and app identities on Android at a massive scale, defeating standard privacy safeguards. The disclosure led to rapid mitigation, but the incident underscores the need for deeper systemic changes in how browsers and mobile platforms handle inter-app communications and tracking[1][2][3]. “This tracking method defeats Android's inter-process isolation and tracking protections based on partitioning, sandboxing, or clearing client-side state.”[1]
1. https://localmess.github.io
2. https://www.grc.com/sn/sn-1029-notes.pdf
3. https://gigazine.net/gsc_news/en/20250604-meta-yandex-tracking/
4. Researchers & Authors of the localmess github page: Aniketh Girish (PhD student), Gunes Acar (Assistant Professor), Narseo Vallina-Rodriguez (Associate Professor), Nipuna Weerasekara (PhD student), Tim Vlummens (PhD student).
Note: Perplexity.AI was used to assist in preparing this report.
No comments:
Post a Comment
Thank you for your thoughtful comments.