6 days ago
Meta and Yandex Exploited Android Loophole to Track Users Across Browsers and Apps
Meta and Yandex have been found to exploit a loophole in Android's architecture, enabling them to de-anonymize users' web browsing activities by linking them to persistent app identities. This tracking method bypasses standard privacy protections, including incognito mode and cookie clearing, raising significant concerns about user privacy.
Researchers from Radboud University, IMDEA Networks, and KU Leuven discovered that Meta's Pixel and Yandex's Metrica tracking scripts, embedded in millions of websites, communicate with their respective Android apps via the device's localhost interface. This communication allows the apps to receive browsing data directly from the browser, effectively linking web activity to user identities within the apps.
The tracking mechanism operates by having the browser-based scripts send data to specific ports on the localhost interface, where the apps are listening. For instance, Meta's apps listen on UDP ports 12580–12585, while Yandex's apps use ports 29009, 29010, 30102, and 30103. This setup enables the apps to collect browsing data, including cookies and metadata, even when users employ privacy measures like incognito mode or VPNs.
ADVERTISEMENT
Meta began implementing this method in September 2024, while Yandex has utilized a similar approach since 2017. The widespread use of Meta Pixel and Yandex Metrica—estimated to be present on 5.8 million and 3 million websites respectively—suggests that a vast number of Android users could be affected.
The discovery has prompted responses from major browser developers. Google has initiated an investigation and is working on mitigations to prevent such tracking techniques. Mozilla is also developing solutions to protect Firefox users on Android from this invasive tracking. Meta has paused the functionality in question and is in discussions with Google to address the issue.
Privacy advocates and experts have expressed alarm over the findings. The method's ability to circumvent standard privacy controls and its potential to be used by malicious actors for surveillance underscore the need for stricter enforcement of privacy standards and greater transparency from tech companies regarding data collection practices.
