Meta could track your browser sessions even in incognito and link them with your real identity
Meta could track your browser sessions even in incognito and link them with your real identity
You just can't finish off Zuckerberg.
Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.
This is the process through which Meta (Facebook/Instagram) managed to link what you do in your browser (for example, visiting a news site or an online store) with your real identity (your Facebook or Instagram account), even if you never logged into your account through the browser or anything like that.
Meta accomplishes this through two invisible channels that exchange information:
(i) The Facebook or Instagram app running in the background on your phone, even when you’re not using it.
(ii) Meta’s tracking scripts (the now-pulled illegal brainchild uncovered last week), which operate inside your mobile web browser.
I am so happy that I deleted my account on Fecesbook back in 2019. Plus, I am blocking Meta through RethinkDNS. Can't be more happy!
Meta is cancer for any platform.
I feel my mobile becomes dirty once I download any of that shit.
Same Unfortunately, I use Marketplace for some things and Meta made it damn near impossible to use a browser for posting marketplace listings and responding to DM's
I live in a slightly less developed country where as far as 90% of the population are concerned, Facebook is the internet.
I hate it with a passion, but if I don't have a login then there's no way for me to find details of pretty much any business or event in the city.
I have my own company that helps companies websites. There is a company called 6sense that scares the crap out of me. They are able to use Facebook, insta, and reddit. They are able to assign an id to you, even in incog.
They have some crazy algorithm that can eventually match you to the real you. Then stick you in a cohort to sell to you.
Even if you use brave or Firefox. Doesn't matter.
It's actually kind of amusing and pathetic to me that they're doing all this malignant privacy breaching, and putting such massive effort into it, but then only using it to serve you advertising, which I largely ignore anyway.
Some people still think it's only advertising and that the advertisements don't work. That's even scarier.
I did a 'download all your data' on Facebook a while back and there wasn't anything about my tracked browser history. Does this mean they've also violated the "users should be able to see the data you have on them" article of the GDPR as well?
I'm guessing they're trying to hide behind weasel shit about the ids being anonymized or something as though it wasn't trivially easy for them to deanonymize....
I can't remember which one of my phones, probably a Samsung that had Facebook installed and couldn't get rid of it. People were like, you can just not open it or something. There's a good reason I don't want it on my device.
I had one of theirs like that. You could disable it instead of uninstall, and this wouldn't happen, but you couldn't uninstall it.
The real fun started with Android 12. Google introduced the ability for some preloaded apps to avoid being disabled and prevent ADB shell disable.
yup. some samsungs also have a hidden "meta services" app thats not uninstallable too.
I have a Samsung phone. I checked app cleaner to see if there are any meta services and there weren't any so I suppose I'm good.
Since January Google has been using browser fingerprinting and IP triangulation to track across incognito windows.
Meta wants in the game as well. Nothing done on a phone with Meta apps is done in isolation.
Edit: seems like only vanilla mobile browsers affected. Brave was not vulnerable, DDG minimally so, and I expect Iron/Waterfox with uBlock would also not have allowed tracking.
https://securityonline.info/androids-secret-tracking-meta-yandex-abused-localhost-for-user-data/
What is IP triangulation?
Let's say you use a VPN, and all your internet traffic comes from an IP in London. 178.238.10.1.
It doesn't matter if you have a VPN, if you log in to anything with any account tied to your real name (yourname@gmail.com), your email and anything done on that London IP are all linked. Google builds a profile on you based on the activity on that IP. AND your browser profile. Private/incognito window or not, if there's a Google tracker on the site, they connect it all. Google doesn't care about private windows. If you go to reddit in a private window on the same IP as your gmail, Google sees that and tracks every page you look at.
So let's say that you log into your email from work. Google now has a treasure trove of new info about you and people you know. Same for FB, who uses the fact that you and someone else were logged on from the same IP range to suggest new friends.
Let's pretend that you live in China and still have access to a VPN and want to learn about the Tienanmen Square Massacre. But the government can ask Google about you. What do you need?
- an IP never ever used with an account associated with an account with your real name.
- a no-log VPN that won't tattle on you if asked what sites did you access on a specific date.
- a browser fingerprint never ever associated with an account tied to your real name.
I block Meta via NextDNS, living that Zuck free life is good.
Or you could just not use their toxic bullshit. I haven't logged into Facebook in like 6 years.
Yeah, but they'll still create a shadow profile on you and track your data anyway. Have a friend with an account? Your name and phone number is known to them. Even without a true identity attached, they will track you from your own devices, and then correlate that with everything else they can at every opportunity.
Also, Facebook is preinstalled as a system app (cannot be uninstalled without adb) on various manufacturer's and carrier's android builds.
IIRC Facebook was not installed by default on my Samsung A32, and there is no trace of it now so I don't think I removed it. shrug Otherwise, use privacy features in your browser/on your device
friend
Lmao, y'all have friends? 🤣💀
Be brave, do it. I just did it a few months ago. Just push the trigger and delete it. Let it go. They will of course keep the data, but at least not legally anymore.
Who says any of my
stalkingOSInt accounts is my real identity?Edit: /s ofc. Who would use those crappy apps on phone anyway.
So would using Firefox and group containers protect against this?
Nah, the script connects to a server run by the Instagram or Facebook app and feeds it info, bypassing isolation mechanisms entirely. I think ublock or other script-blocking add-ons might work though.
It says Firefox was also affected. They just mention Brave as not being affected