Security researchers have unveiled a novel tracking method used by Meta and Yandex that effectively de-anonymizes billions of Android users when they browse the web, even using Incognito mode. The tech giants’ apps secretly listen for data from websites through “localhost” connections.
When Android users browse the web, Yandex – a major Russian technology company – and Meta apps are actively listening, according to a report by security researchers from IMDEA Networks, a Madrid-based institute, the Dutch Radboud University, and the Belgian University of Leuven.
They found a hidden connection between the browsing activities and the apps running in the background, circumventing Android and browser sandboxes and other security and data protection features. It works even when using Incognito Mode.
“We found that native Android apps – including Facebook, Instagram, and several Yandex apps, including Maps and Browser – silently listen on fixed local ports for tracking purposes,” the report reads.
How is this done?
Millions of websites have Meta Pixel or Yandex Metrica scripts embedded. When a user lands on any of these websites, these scripts beam the data to the corresponding apps, linking browsing activities with the actual user.
The researchers found that these trackers connect with apps through localhost sockets.
The apps open a listening socket on the loopback interface – think of it as a mailbox with a specific address waiting for data to arrive. Android OS allows any app with internet permission to do this.
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode, and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity,”
the researchers warn.
Browsers on the same device also access this interface. Therefore, JavaScript embedded on web pages can communicate with the apps and share identifiers and browsing habits. The temporary web data is then linked with the app and device IDs.
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode, and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity,” the researchers warn.
Meta Pixel trackers were found to transmit cookies using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports. Similarly, Yandex has been using localhost communications since 2017, listening on ports 29009, 29010, 30102, and 30103.
Meta also deliberately hid the communication using the “SDP Minging” technique, so the cookie with user data is not immediately visible for inspection tools – it was buried inside technical internet messages.
Meta Pixel is embedded on over 5.8 million websites, while Yandex Metrika is present on close to 3 million.
Malware can abuse this and steal the data
The covert web-to-app tracking also exposes user data to other potentially malicious apps, which can listen to the same ports and intercept the communication between the web tracking scripts and the apps.
The researchers even demonstrated such an app, and all major browsers, including Chrome, Firefox, and Edge, were susceptible to this form of browsing history leakage.
“Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost, and DuckDuckGo was only minimally affected due to missing domains in their blocklist,” the report notes.
Meta and Yandex didn’t describe this kind of tracking in their official documentation, leaving both website owners and users unaware. The tracking scripts were loaded even before the cookie consent forms were displayed.
“Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost, and DuckDuckGo was only minimally affected due to missing domains in their blocklist,”
the report notes.
iOS may also be susceptible
The secret tracking technique might not be limited only to Android. Researchers warn about “empirical evidence” that similar web-to-app tracking can technically occur on other platforms.
iOS browsers are all based on WebKit, which allows developers to establish localhost connections. Apps can also listen on specific ports. However, Apple has introduced technical and policy restrictions for running apps in the background, which “may explain why iOS users were not targeted by these trackers.”
Meta stops its activity after the disclosure
The researchers noted that as of June 3rd, the Meta/Facebook Pixel script is no longer sending any packets or requests to localhost.
“The code responsible for sending the _fbp cookie has been almost completely removed,” they updated the report.
“Our responsible disclosure to major Android browser vendors led to several patches attempting to mitigate this issue; some already deployed, others currently in development.”
However, they warn that a broader set of measures will be required to fully address the issue.
Read the full report here.
Your email address will not be published. Required fields are markedmarked