PieFedMeta and Yandex are de-anonymizing Android users’ web browsing identifiers
arstechnica.com/security/2025/06/meta-and-yande…
Fascinating read.
Please STOP using META products and services...
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
14 Comments
Comments from other communities
It looks like Meta or Yandex apps must be installed for the exploit to work. Luckily I don't have any of those installed on my Android devices.
I'm glad this is being reported. If the phone has a tattle tale it will be abused
The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.
Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.
This is exactly what discord does. If you ever wondered how the f* a discord link pops open discord without you giving permission, it's this.
The solution is to not allow localhost connections from the web browser, or use a socksv5 proxy
limerodYou are willingly giving away your data if you are not blocking trackers in your web browser and android apps.
I recommend Firefox +Ublock-origin for web browser and apps liker PersonalDNSFilter or Adguard android app if you can get a license for HTTPS filtering.
UlrichI don't know that blocking trackers would solve this problem but it sounds like simply not installing the native apps would.
Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.
A conceptual diagram representing the exchange of identifiers between the web trackers running on the browser context and native Facebook, Instagram, and Yandex apps for Android.
While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.
swelter_spark
B-TR3ETsss... Firefox, NoScript, Ublock origin and Tracker control (via f-droid.org). Also actively cursing trackers' employees, their wives, children, houses and pets using tradited ancient Roman ban curses. (Yes, I am speaking Latin. And I do have a black cat.)
MaXimus421You're willingly giving your data away as soon as you buy a smartphone. Just using FF and UBO isn't doing anything to help that.
I'm baffled as to how you seem to believe these two things somehow are making your personal data untouchable. There is no reality that exists where you aren't giving up an enormous amount of personal data.
Those things only help make the web less annoying.
I'm not using any Meta or standard service to justify funneling any data from my side to them.
My setup blocks most trackers and ads than the average person. I do not even see ads on my phone be it a website or a native app. I reduce my reliance on google only to what's needed. Others do not get it unless needed. This reduces data collection to a high degree.
This loophole for example did not touch my phone since ads and trackers are already blocked to a high degree.
ZakThis exploit involved Meta and Yandex apps running servers on your phone which Javascript embedded in trackers would communicate with. You'd have to both allow their trackers and have their apps installed to be affected.
Aaaaand...
You're still giving hoards of data away.
Until you realize how this is possible, you and me cannot have this conversation.
Well, I do need to exist a certain degree in this world/society by giving away from some data.
I'm already an outcast in a way that I do not use popular social media apps/websites most people use.
I can stop more data collection by installing Linux, AOSP, GrapheneOS with bare minimum apps from fdroid.
I could've done that but would be making my life more difficult for little gain.
Exactly. You get it.
Limiting the data being thrown out the window is doable. You'll see folks trying to "De-Google" which is understandable. But you're effectively changing the entire way you use the internet. So if that's something you're comfortable with, there's that.
Is this kind of thing why uBO added the localhost / localnet filter? Or does this go beyond that?
I think so.
Some browsers for Android have blocked the abusive JavaScript in trackers. DuckDuckGo, for instance, was already blocking domains and IP addresses associated with the trackers, preventing the browser from sending any identifiers to Meta. The browser also blocked most of the domains associated with Yandex Metrica. After the researchers notified DuckDuckGo of the incomplete blacklist, developers added the missing addresses.
infinitesunriseFirefox with the EFF Privacy Badger extension.
That is all.
It's not all. Not by a long shot.
Any recommendations for additions to the arsenal?
It depends entirely on your threat model. Start with privacyguides.org
For anyone simply not wanting to have their data scooped up en mass, you still have to defeat IP triangulation, browser fingerprinting, and shadow profiling. Our data is extremely valuable to some people, and they go to great lengths to get it.
This assume we have a Facebook app on the phone in oder to work, right?
Facebook, Instagram or Yandex. Question is if any Meta App (eg WhatsApp) does the same
It definitely was enough for me to get rid of WhatsApp. But I was kind of looking for an excuse
Would love to as well, but my Grandmas don't want to switch after finally learning how WhatsApp works
Yeah, my big one was a friend living overseas but I finally got it sorted and they're on signal now 😅
WhatsApp is the more difficult one because some use it for work.
Then probably you can use an aggregator like Franz.
Never tested, but I guess you can throw the Meta app away then.
Edit:
It seems Franz it thought for desktop, Snowball should do the job.
I don't use much of Fb (or Ig, BlueSky), but I always use them on browser even on the phone. I've any app installed for social medias except Lemmy.
In my case they shouldn't be able to track me, or?
Samsung phones come with Facebook services pre-installed, with no way to remove it.
I guess you can deactivate them.
Yeah, but then their spyware is stoll on your storage.
One of the things that pushed me into the loving arms of GrapheneOS actually.
If you still think Meta is providing a service, there are likely mental crisis lines locally. I don't understand why anyone uses any of their platforms.
The answer to this question about almost any shitty platform is almost always the network effect.
Leaving Meta's platforms means leaving where most of your friends and family spend their time digitally, which makes it harder to connect with the people you know. No one can collectively agree on an alternative platform to all simultaneously move to, so in most cases, leaving Meta practically means cutting yourself off from your entire social graph.