Meta found 'covertly tracking' Android users through Instagram and Facebook
Meta found 'covertly tracking' Android users through Instagram and Facebook
Google says Meta and search engine company Yandex used Android capabilities "in unintended ways that blatantly violate our security and privacy principles".
How were they doing this, technically speaking? The article is devoid of practically anytechnical detail
Better link? https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.
While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.
Yes, thank you.
They used a protocol called WebRTC that allows for establishing direct P2P connections to establish a connection to the Facebook app running on your phone. The FB app knew your identity so it was able to link your in browser actions with your FB identity.
Can we get mobile companies to start treating Facebook’s apps as threat vectors?
North Korea phone: Oh no they track you
Every US company: Yay I need my data stealing app to know who I'm mad at
There's a difference between companies stealing data to sell or target ads to you and the government tracking everything you do so they can black bag you if you're too subversive. Neither is great but uninstalling Facebook isn't that hard.