Digital Event Horizon
Meta Pixel and Yandex Metrica's malicious behavior allows these companies to de-anonymize Android users by exploiting localhost access. The researchers warn that this abuse could become ineffective at any time, prompting browser makers to constantly monitor the use of this type of capability and update their blocklists accordingly.
Meta Pixel and Yandex Metrica, analytics scripts used by millions of websites, are secretly exploiting Android's localhost access to de-anonymize users. The malicious behavior allows these companies to bypass the security and privacy protections provided by both Android and popular browsers. Browser makers need to constantly monitor the use of this type of capability and update their blocklists accordingly to detect other hostnames potentially abusing localhost channels. The access to local host sockets is completely uncontrolled on Android, making it hard for users to prevent this kind of communication on their devices. Meta Pixel began abusing basic functionality built into modern mobile browsers in September last year, and has since switched to new methods using WebSocket and WebRTC protocols. Yandex Metrica also started sending HTTP requests to local ports in May 2017, and later shifted to HTTPS to ports in May 2018. The companies can tie pseudonymous web identities with actual user identities by passing cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The researchers warn that the current fixes are specific to the code in the Meta and Yandex trackers and may be easily bypassed with a simple update. Android needs to overhaul its way of handling access to local ports to prevent this kind of abuse.
In a shocking revelation, researchers have discovered that Meta Pixel and Yandex Metrica, analytics scripts used by millions of websites, are secretly exploiting Android's localhost access to de-anonymize users. The malicious behavior allows these companies to bypass the security and privacy protections provided by both Android and popular browsers, effectively linking pseudonymous web identities with actual user identities.
The researchers, who include Aniketh Girish, PhD student at IMDEA Networks; Gunes Acar, assistant professor in Radboud University's Digital Security Group & iHub; Narseo Vallina-Rodriguez, associate professor at IMDEA Networks; Nipuna Weerasekara, PhD student at IMDEA Networks; and Tim Vlummens, PhD student at COSIC, KU Leuven, warned that this abuse could become ineffective at any time, prompting browser makers to constantly monitor the use of this type of capability and update their blocklists accordingly.
According to Vallina-Rodriguez, creating effective blocklists is hard, and browser makers will need to constantly monitor the use of this type of capability to detect other hostnames potentially abusing localhost channels. "The fundamental issue is that the access to the local host sockets is completely uncontrolled on Android," he explained. "There's no way for users to prevent this kind of communication on their devices. Because of the dynamic nature of JavaScript code and the difficulty to keep blocklists up to date, the right way of blocking this persistently is by limiting this type of access at the mobile platform and browser level."
Meta Pixel began abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications in September last year. They started by causing apps to send HTTP requests to port 12387, a move that caught many websites off guard when their scripts began connecting to local ports. A month later, they stopped sending this data, even though Facebook and Instagram apps continued to monitor the port.
In November, Meta Pixel switched to a new method that invoked WebSocket, a protocol for two-way communications, over port 12387. This was followed by the deployment of a new method that used WebRTC, a real-time peer-to-peer communication protocol commonly used for making audio or video calls in the browser. This method utilized a process known as SDP munging, a technique for JavaScript code to modify Session Description Protocol data before it's sent. Still in use today, this SDP munging by Meta Pixel inserts key _fbp cookie content into fields meant for connection information.
The researchers also discovered that Yandex Metrica, the Russian-based tracker, began sending HTTP requests to local ports 29009 and 30102 in May 2017. They later started sending data through HTTPS to ports 29010 and 30103 in May 2018. Both methods remained in place as of publication time.
Meta Pixel's _fbp cookie is sent to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging, allowing the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.
The researchers provided a detailed description of the flow of how Meta Pixel leaks the _fbp cookie from Android browsers to its Facebook and Instagram apps. This includes user opening their browser, visiting a website integrating the Meta Pixel, and then some websites waiting for users' consent before embedding Meta Pixel. At this stage, the Meta Pixel script is loaded, sending the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
In contrast to iOS, Android imposes fewer controls on local host communications and background executions of mobile apps. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, effectively de-anonymizing users' browsing habits on sites containing these trackers.
The researchers warn that the current fixes are so specific to the code in the Meta and Yandex trackers that it would be easy to bypass them with a simple update. "They know that if someone else comes in and tries a different port number, they may bypass this protection," said Gunes Acar, the researcher behind the initial discovery.
Fellow researcher Vallina-Rodriguez added that a more comprehensive way to prevent abuse is for Android to overhaul the way it handles access to local ports. "The fundamental issue is that the access to the local host sockets is completely uncontrolled on Android," he explained. "There's no way for users to prevent this kind of communication on their devices."
The researchers who made this discovery are Aniketh Girish, PhD student at IMDEA Networks; Gunes Acar, assistant professor in Radboud University's Digital Security Group & iHub; Narseo Vallina-Rodriguez, associate professor at IMDEA Networks; Nipuna Weerasekara, PhD student at IMDEA Networks; and Tim Vlummens, PhD student at COSIC, KU Leuven.
In response to the discovery, Google stated that the behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users. "The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles," a representative said.
Meta also responded by stating that they are in discussions with Google to address a potential miscommunication regarding the application of their policies. They added, "Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."
Related Information:
https://www.digitaleventhorizon.com/articles/Covert-Tracking-How-Meta-and-Yandex-Abuse-Androids-Local-Port-Access-to-De-Anonymousize-Users-deh.shtml
https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
https://www.ru.nl/en/research/research-news/new-research-highlights-privacy-abuse-involving-meta-and-yandex
Published: Tue Jun 3 09:53:23 2025 by llama3.2 3B Q4_K_M
