PieFedMeta and Yandex are de-anonymizing Android users’ web browsing identifiers
BrikoXarstechnica.com/security/2025/06/meta-and-yande…
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
3 Comments
Comments from other communities
limerodYou are willingly giving away your data if you are not blocking trackers in your web browser and android apps.
I recommend Firefox +Ublock-origin for web browser and apps liker PersonalDNSFilter or Adguard android app if you can get a license for HTTPS filtering.
UlrichI don't know that blocking trackers would solve this problem but it sounds like simply not installing the native apps would.
Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.
A conceptual diagram representing the exchange of identifiers between the web trackers running on the browser context and native Facebook, Instagram, and Yandex apps for Android.
While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.
swelter_spark
B-TR3ETsss... Firefox, NoScript, Ublock origin and Tracker control (via f-droid.org). Also actively cursing trackers' employees, their wives, children, houses and pets using tradited ancient Roman ban curses. (Yes, I am speaking Latin. And I do have a black cat.)
MaXimus421You're willingly giving your data away as soon as you buy a smartphone. Just using FF and UBO isn't doing anything to help that.
I'm baffled as to how you seem to believe these two things somehow are making your personal data untouchable. There is no reality that exists where you aren't giving up an enormous amount of personal data.
Those things only help make the web less annoying.
I'm not using any Meta or standard service to justify funneling any data from my side to them.
My setup blocks most trackers and ads than the average person. I do not even see ads on my phone be it a website or a native app. I reduce my reliance on google only to what's needed. Others do not get it unless needed. This reduces data collection to a high degree.
This loophole for example did not touch my phone since ads and trackers are already blocked to a high degree.
ZakThis exploit involved Meta and Yandex apps running servers on your phone which Javascript embedded in trackers would communicate with. You'd have to both allow their trackers and have their apps installed to be affected.
Aaaaand...
You're still giving hoards of data away.
Until you realize how this is possible, you and me cannot have this conversation.
Well, I do need to exist a certain degree in this world/society by giving away from some data.
I'm already an outcast in a way that I do not use popular social media apps/websites most people use.
I can stop more data collection by installing Linux, AOSP, GrapheneOS with bare minimum apps from fdroid.
I could've done that but would be making my life more difficult for little gain.
Exactly. You get it.
Limiting the data being thrown out the window is doable. You'll see folks trying to "De-Google" which is understandable. But you're effectively changing the entire way you use the internet. So if that's something you're comfortable with, there's that.
Is this kind of thing why uBO added the localhost / localnet filter? Or does this go beyond that?
I think so.
Some browsers for Android have blocked the abusive JavaScript in trackers. DuckDuckGo, for instance, was already blocking domains and IP addresses associated with the trackers, preventing the browser from sending any identifiers to Meta. The browser also blocked most of the domains associated with Yandex Metrica. After the researchers notified DuckDuckGo of the incomplete blacklist, developers added the missing addresses.
infinitesunriseFirefox with the EFF Privacy Badger extension.
That is all.
It's not all. Not by a long shot.
Any recommendations for additions to the arsenal?
It depends entirely on your threat model. Start with privacyguides.org
For anyone simply not wanting to have their data scooped up en mass, you still have to defeat IP triangulation, browser fingerprinting, and shadow profiling. Our data is extremely valuable to some people, and they go to great lengths to get it.
This assume we have a Facebook app on the phone in oder to work, right?
MaggiWuerzeFacebook, Instagram or Yandex. Question is if any Meta App (eg WhatsApp) does the same
It definitely was enough for me to get rid of WhatsApp. But I was kind of looking for an excuse
Would love to as well, but my Grandmas don't want to switch after finally learning how WhatsApp works
Yeah, my big one was a friend living overseas but I finally got it sorted and they're on signal now 😅
I don't use much of Fb (or Ig, BlueSky), but I always use them on browser even on the phone. I've any app installed for social medias except Lemmy.
In my case they shouldn't be able to track me, or?
PowderhornIf you still think Meta is providing a service, there are likely mental crisis lines locally. I don't understand why anyone uses any of their platforms.
I don't understand why anyone uses any of their platforms.
The answer to this question about almost any shitty platform is almost always the network effect.
Leaving Meta's platforms means leaving where most of your friends and family spend their time digitally, which makes it harder to connect with the people you know. No one can collectively agree on an alternative platform to all simultaneously move to, so in most cases, leaving Meta practically means cutting yourself off from your entire social graph.
It looks like Meta or Yandex apps must be installed for the exploit to work. Luckily I don't have any of those installed on my Android devices.
The point is any app could do this.
I'm glad this is being reported. If the phone has a tattle tale it will be abused
This is exactly what discord does. If you ever wondered how the f* a discord link pops open discord without you giving permission, it's this.
The solution is to not allow localhost connections from the web browser, or use a socksv5 proxy