Researchers discovered that Meta (Facebook/Instagram) and Yandex apps on Android secretly listen on localhost ports to receive tracking data from web browsers. When users visit websites with Meta Pixel or Yandex Metrica scripts, these JavaScript codes silently connect to native apps running on the same device through localhost sockets, bypassing privacy protections like incognito mode and cookie clearing. This allows linking of web browsing sessions to user identities through device identifiers like Android Advertising ID. The technique affects billions of Android users across millions of websites. Meta has since stopped this practice following disclosure, while browser vendors are implementing countermeasures.
Table of contents
Yandex using localhost communications since 2017Sort: