Meta Bypassed Privacy Protections to Track Android Users
A recent investigation by cybersecurity researchers has revealed that tech giants Meta (formerly Facebook) and Yandex have been exploiting a fundamental design feature of the Android operating system—the ability for apps to listen on localhost ports—to covertly track users’ web activity and link it to their real identities.
The discovery has raised significant privacy concerns and prompted swift action from browser developers and platform owners.
How the Tracking Mechanism Works
The tracking technique centers on the use of “localhost” or the loopback interface (127.0.0.1), which allows a device to communicate with itself.
On Android, any app with the INTERNET permission can open a listening socket on the loopback interface.
This feature is typically used by developers for legitimate purposes, such as debugging, but Meta and Yandex repurposed it for user tracking.
When a user visits a website that embeds either the Meta Pixel or Yandex Metrica tracking script, these JavaScripts load in the browser and silently connect to native apps running on the same device through localhost sockets.
The native apps—such as Facebook, Instagram, Yandex Maps, and Yandex Browser—listen on specific ports for these connections.
For example, Meta apps listened on UDP ports 12580–12585, while Yandex apps used TCP ports 29009, 29010, 30102, and 301031.
The scripts transmit browser metadata, cookies, and commands to these ports. In the case of Meta, the _fbp cookie is sent using WebRTC (specifically STUN and later TURN protocols), with the cookie value inserted into the SDP “ice-ufrag” field.
This allows the app to receive the cookie and link it to the user’s persistent app identity, effectively de-anonymizing the user’s web activity.
Technical Details and Risk Vectors
The tracking method is highly sophisticated and bypasses typical privacy protections. For instance, it works even if a user is in Incognito Mode or clears their cookies.
The technique also violates the expectation that first-party cookies—like the _fbp cookie—should not be used to track users across different websites.
By linking these ephemeral web identifiers to long-lived mobile app IDs, Meta and Yandex can create a persistent profile of a user’s browsing habits.
Moreover, the use of HTTP requests for web-to-native ID sharing exposes users to additional risks.
Any malicious app listening on the same ports can intercept these requests and harvest browsing history.
Researchers demonstrated this by creating a proof-of-concept app that successfully captured the URLs of visited sites, even in private browsing modes.
Popular browsers like Chrome, Firefox, and Edge were found to be vulnerable, while Brave and DuckDuckGo were largely protected due to their blocklist-based defenses.
Below is a summary table of the affected Yandex apps and the ports they listen on:
| Yandex App | Package Name | Tested Version | Ports Used |
|---|---|---|---|
| Yandex Maps | ru.yandex.yandexmaps | 23.5.0 | 29009, 30102 |
| Yandex Navigator | ru.yandex.yandexnavi | 23.5.0 | 29009, 30102 |
| Yandex Browser | com.yandex.browser | 25.4.1.100 | 29010, 30103 |
| Yandex Search | com.yandex.searchapp | 25.41 | 29010, 30103 |
| Metro in Europe — Vienna | ru.yandex.metro | 3.7.3 | 29009, 30102 |
| Yandex Go: Taxi Food | ru.yandex.taxi | 5.24.1 | 29009, 30102 |
Industry Response and Next Steps
Following the public disclosure of these findings, Meta and Yandex have paused their use of this tracking technique.
As of June 3, 2025, the Meta Pixel script has stopped sending data to localhost, and the tracking code has been largely removed.
Yandex has also ceased the practice.
Meta stated that it is working with Google to resolve any policy issues and has paused the feature while discussions are ongoing.
Browser vendors have responded by implementing countermeasures. Chrome version 137, released on May 26, 2025, blocks the abused ports and disables the specific form of SDP munging used by Meta Pixel.
Firefox plans to block the relevant ports in version 139.
Brave and DuckDuckGo already have protections in place, with Brave requiring user consent for localhost communications and DuckDuckGo using a blocklist.
Despite these short-term fixes, the researchers emphasize the need for broader platform-level changes.
They recommend stronger user-facing controls for localhost access, stricter platform policies, and enhanced security around Android’s interprocess communication mechanisms.
The discovery of this novel tracking method highlights the ongoing challenges in balancing user privacy with the technical capabilities of modern operating systems.
While Meta and Yandex have paused their activities for now, the incident underscores the need for continuous vigilance and proactive security measures to protect users from increasingly sophisticated forms of tracking.
The research team, including Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens, has called for greater transparency and accountability from tech companies and platform providers to ensure that user data is not misused in the future.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
