Meta and Yandex Caught Bypassing Privacy Protections with Localhost Tracking
Security researchers revealed that Meta and Yandex used native Android apps to listen on localhost ports, linking web browsing data to user identities and bypassing typical privacy safeguards. Meta's Pixel script has stopped sending data to localhost and removed much of the tracking code, likely to avoid violating Google Play policies. Researchers discovered that Facebook, Instagram, and Yandex apps silently collected cookie data via fixed local ports, linking browsing activity to user identities and circumventing cookie clearing, incognito mode, and app permission systems. Meta employed this technique starting in September 2024, using HTTP, WebSocket, and WebRTC protocols. Meta has since ceased this practice, but Yandex's use continues. Chrome 137 includes some mitigations, and Firefox and DuckDuckGo are also taking action.