Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Does anyone know if there's additional sandboxing of local ports happening for apps running in Private Space?
E: Checked myself. Can access servers in Private Space from non-Private Space browsers and vice versa. So Facebook installed in Private Space is no bueno. Even if the time to transfer data is limited since Private Space is running for short periods of time, it's likely enough to pass a token while browsing some sites.
Meta should be broken up and its leadership barred from working in tech (or politics)
and its leadership barred
from working in tech (or politics)
Well, it's always been a cat and mouse game.
Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!
I've been on Librewolf for a couple of years and yt is nagging me about ad blockers not being allowed, suddenly. Are they going to black screen me again?
they still try that?
i can't remember the last time i have seen one of those warnings.
The business cycle dictates that companies try to re-implement bad ideas every six months to two years.
If the idea was good, they'd have implemented it and made their money. Only bad ideas are still ripe for exploitation and new economic growth, because you haven't had someone as smart as me to make them work right.
Google doesn't do global roll outs with their updates. The anti adblock stuff especially. They target only some % of randomly selected users to spread confusion online, and I would guess their hope is to frustrate people into disabling ad blockers on Youtube after reading a bunch of misinformation and placebo bad advice when looking for tech support.
Fair warning: Last week one of my accounts was seemingly shadowbanned, and now gets "This content isn't available" on every video.
Logging out plays videos, making a new brand account worked, etc. and no notification from youtube.
You were shadowbanned for watching youtube in a web browser with adblock? Sounds excessive.
If you happen to use BlockTube, disable it. It's currently triggering the adblock detection.
Useless article, but at least they link the source: https://localmess.github.io/
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.
📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
Thanks for the update, pitchforks down people. Let's go back to blindly trusting these anti consumer cabals.
I almost didn't copy the update because my focus was on the technical background. I did a double-check before submitting, if I caught the gist correctly, and decided that people would probably want to know that the report triggered that change.
Not surprising, it's always expected from tech corporations, where at the end of the day it's profit and favor with conservative politicians. If they're not trying to use information gathered on people to bad government looking to cut costs ("saving taxpayers' money") by removing minority beneficiaries, they love to shove content you don't even want.
Why I never use my real name online.
laughs in adguard
De-anonymising Yandex
Me: Ha! Good thing I am not Russian!
De-anonymising Meta
Me: Damn..and it is hard for me to let go because my social circle use Meta-owned social media and couldn't care less about privacy....I am toast...
I used to be in your situation and one day I just told everyone I was leaving and if they want to contact me they would have to use Signal. You can't change most people's minds and Meta knows it, that's how they keep their monopoly
We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.
Aside from having uBlock Origin and not having any Meta/Yandex apps installed, anyone aware of additional Firefox settings that could help shut this nonsense down?
I know that people here generally like to shit on Brave, but it seems that the claim "Privacy by default" has held up in this context.
Isn't that Proton's tagline?
I feel like that's all you need. You don't have their apps installed, so the problem is already solved. If you use uBlock Origin to block their trackers, the problem is solved. So you've solved it twice.
Yes and no, I've treated the symptoms, but not the problem. All it takes is a trillion dollar company buying a new domain every once in a while to foil uBlock, and now that it's more known, anyone can create an an app that opens ports and listens for trackers.
Would love it if Firefox would let me block all requests to localhost.
Are you suggesting something like LineageOS is a better choice?
(Seriously asking: I've got a new-to-me Pixel that I'm looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)
If it's a Pixel anyway, GrapheneOS has a few nice security and privacy features that LineageOS doesn't have (yet?).
I think both are pretty great and much better than most alternates.
I'm running Graphene and I'm very happy with it.
Phew, glad i dodged that bullet by buying an iphone. (/s)
Its russian, i've never used it and never will. Surprised so many 🏴☠️'s advocated for it..