Researchers detail a technique Meta and Yandex use to glean some logged-in Android users' browsing histories from Chromium-based browsers via web identifiers
even in incognito mode or with a VPN Nick Heer / Pixel Envy : Meta and Yandex Apps on Android Have Been Tracking Users in Newly Creepy Ways Bluesky: Matthew Green / @matthewdgreen : Yuck. Meta apps listen on localhost on Android so that tracking scripts can talk to apps, and Meta can monitor your browsing and tie it to identity. Why is that allowed? www.theregister.com/2025/06/03/ m... Corey Quinn / @quinnypig.com : If you work at Meta you can dress it up however you need to, but the reality is you work for a malware company. [embedded post] Darren Ewing / @sadknob : of course they are. you're not a person anymore; you're just data that can buy things from them. they are systematically invading our privacy, manipulating our sources of real, honest information, and destroying our individuality. — ...and buying yachts. — arstechnica.com/security/202... @grapheneos.org : The tracking technique described at arstechnica.com/security/202... is prevented by Vanadium's default “Disabled non-proxied UDP” value. It's also prevented by “Default public interface only”, which does permit peer-to-peer connections but won't try to use the loopback interface for it. Ben Oberkfell / @benlikestoco.de : tldr: FB/IG app ran a local socket on their Android app, and their web tracking pixels used it to report back. — This didn't just get built out of nowhere. Lots of people at Meta probably wrote a PRD, eng design docs, and sat in meetings to discuss developing this tracking method. Tyler King / @tyleraking.com : I dunno. Kinda sounds like hacking. Kinda remember when the feds were gonna send Aaron Swartz to prison for 35 years for downloading academic journals. [embedded post] Mastodon: @AAKL@infosec.exchange : This is the work of Meta's notorious Pixel code. Notice it is being done on Google platforms. — “UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.” … @vxo@digipres.club : @dangoodin oh the Meta stuff is just bonkers. I used to have the SEO-recommended share buttons enabled on my blog until I realized that they were running tracking code from all the sites they offered to share the pages to! Meta's was one of the creepiest, it added seven seconds to page load times while it sat there and furiously fingerprinted the browser. … @tek@freeradical.zone : Meta and Yandex are de-anonymizing Android users' web browsing identifiers https://arstechnica.com/... > both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. — 🎵Burn it to the ground🎵 … LinkedIn: Kathy Reid Mba : If you needed any more incentives to move away from Facebook or Instagram, because their wholesale scraping of the content you upload wasn't enough … Forums: Hacker News : Covert Web-to-App Tracking via Localhost on Android Hacker News : Covert Web-to-App Tracking via Localhost on Android r/privacy : Meta and Yandex are de-anonymizing Android users' web browsing identifiers r/technology : Meta and Yandex are de-anonymizing Android users' web browsing identifiers | Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories. BeauHD / Slashdot : Meta and Yandex Are De-Anonymizing Android Users' Web Browsing Identifiers Ars OpenForum : Meta and Yandex are de-anonymizing Android users' web browsing identifiers