Consumer Rights Wiki - User contributions [en]

Covert web-to-app tracking by Meta and Yandex

2025-11-06T07:07:04Z

DerKork: remove template

{{IncidentCargo
|Company=Meta, Yandex
|StartDate=2017-02
|EndDate=2025-01
|Status=Resolved
|Product=Facebook, Instagram, Yandex Maps, Yandex Browser
|ArticleType=Service
|Type=Privacy, Surveillance, Unprompted Risk to Users
|Description=Meta & Yandex apps on Android track users by listening on localhost ports, linking web activity to app identities, bypassing privacy measures.
}}Meta and Yandex use a covert tracking method on Android: their native apps (Facebook, Instagram, Yandex apps) listen on fixed localhost ports, and scripts on websites forward browser cookies and metadata to these apps, linking every browsing session to the user's real identity and bypassing privacy protections<ref>{{Cite web |title=Local Mess |url=https://localmess.github.io/}}</ref>.

==Background==
Meta (formerly Facebook) operates the world’s largest social networks, Facebook and Instagram, plus Messenger and WhatsApp<ref>{{Cite web |title=Wikpedia - Meta Platforms |url=https://en.wikipedia.org/wiki/Meta_Platforms}}</ref>; its Meta Pixel is a snippet webmasters install to log visitor actions for ad targeting and campaign measurement. Yandex, Russia’s dominant search engine, also runs browsers, maps, taxis, and marketplaces; its free Yandex.Metrica analytics suite records every click, scroll, and session, giving site owners heat-maps, replay videos, and conversion funnels<ref>{{Cite web |title=Wikipedia - Yandex |url=https://en.wikipedia.org/wiki/Yandex}}</ref>.

==Covert Web-to-App Tracking==
Researchers disclosed on June 3rd, 2025 that Meta and Yandex had been using a covert localhost tracking technique on Android. Native apps (Facebook, Instagram, Yandex Maps, Browser, etc.) silently listened on fixed ports, while embedded web scripts (Meta Pixel, Yandex Metrica) forwarded browser cookies and metadata to these apps, linking every site visit - even in Incognito - to the user’s real identity and bypassing normal privacy boundaries. In addition this opened a security loophole as malicous applications could also listen on these ports and acquire this data, even if the user had no apps of Meta or Yandex installed.

*'''2017 - mid-2025''': Yandex operated a localhost-tracking system in apps such as Maps, Browser, and Search, silently receiving web-session cookies and metadata from sites running Yandex.Metrica.
*'''Late 2023 - May 2025''': Meta successively refined an equivalent technique, using Facebook and Instagram apps plus the Meta Pixel script to perform the same bypass on Android.
*'''3 June 2025''': IMDEA Networks, Radboud University, and others publicly disclosed the findings; press reports followed.
*'''Early June 2025''': Both companies halted the data transmissions, removed the localhost calls from their analytics scripts, and said they were cooperating with Google on a longer-term fix.

===Response from Meta/Yandex===

Both companies stopped the data transfers and removed the localhost calls from their tracking scripts within days of the public disclosure. Neither has issued a detailed public statement, but each told reporters it was "working with Google" on a permanent fix <ref>{{Cite web |title=Meta pauses mobile port tracking tech on Android after researchers cry foul |url=https://www.theregister.com/2025/06/03/meta_pauses_android_tracking_tech/}}</ref>.

==Consumer response==

Privacy advocates and security commentators reacted with alarm and criticism, calling the covert localhost tracking a “massive privacy breach” that circumvents Incognito mode, cookie clearing, and Android’s sandbox to link every site visit to a real-world identity. Key complaints center on the deceptive use of a trusted OS feature, the comprehensive user profiles it enables, and the lack of prior disclosure or consent<ref>{{Cite web |title=Meta and Yandex abuse protocol functionality to secretly track users — even in private browsing mode |url=https://adguard.com/en/blog/meta-yandex-abuse-localhost-to-track-users.html}}</ref><ref>{{Cite web |title=Localhost Tracking: The New Privacy Battleground That Could Cost Meta Billions |url=https://redact.dev/blog/meta-yandex-localhost-tracking}}</ref>.

==References==
{{reflist}}

{{Ph-I-C}}

Covert web-to-app tracking by Meta and Yandex

2025-11-06T07:06:31Z

DerKork: added incident, company and consumer response.

{{IncidentCargo
|Company=Meta, Yandex
|StartDate=2017-02
|EndDate=2025-01
|Status=Resolved
|Product=Facebook, Instagram, Yandex Maps, Yandex Browser
|ArticleType=Service
|Type=Privacy, Surveillance, Unprompted Risk to Users
|Description=Meta & Yandex apps on Android track users by listening on localhost ports, linking web activity to app identities, bypassing privacy measures.
}}Meta and Yandex use a covert tracking method on Android: their native apps (Facebook, Instagram, Yandex apps) listen on fixed localhost ports, and scripts on websites forward browser cookies and metadata to these apps, linking every browsing session to the user's real identity and bypassing privacy protections<ref>{{Cite web |title=Local Mess |url=https://localmess.github.io/}}</ref>.

==Background==
Meta (formerly Facebook) operates the world’s largest social networks, Facebook and Instagram, plus Messenger and WhatsApp<ref>{{Cite web |title=Wikpedia - Meta Platforms |url=https://en.wikipedia.org/wiki/Meta_Platforms}}</ref>; its Meta Pixel is a snippet webmasters install to log visitor actions for ad targeting and campaign measurement. Yandex, Russia’s dominant search engine, also runs browsers, maps, taxis, and marketplaces; its free Yandex.Metrica analytics suite records every click, scroll, and session, giving site owners heat-maps, replay videos, and conversion funnels<ref>{{Cite web |title=Wikipedia - Yandex |url=https://en.wikipedia.org/wiki/Yandex}}</ref>.

== Covert Web-to-App Tracking ==
{{Ph-I-I}}Researchers disclosed on June 3rd, 2025 that Meta and Yandex had been using a covert localhost tracking technique on Android. Native apps (Facebook, Instagram, Yandex Maps, Browser, etc.) silently listened on fixed ports, while embedded web scripts (Meta Pixel, Yandex Metrica) forwarded browser cookies and metadata to these apps, linking every site visit - even in Incognito - to the user’s real identity and bypassing normal privacy boundaries. In addition this opened a security loophole as malicous applications could also listen on these ports and acquire this data, even if the user had no apps of Meta or Yandex installed.

* '''2017 - mid-2025''': Yandex operated a localhost-tracking system in apps such as Maps, Browser, and Search, silently receiving web-session cookies and metadata from sites running Yandex.Metrica.
* '''Late 2023 - May 2025''': Meta successively refined an equivalent technique, using Facebook and Instagram apps plus the Meta Pixel script to perform the same bypass on Android.
* '''3 June 2025''': IMDEA Networks, Radboud University, and others publicly disclosed the findings; press reports followed.
* '''Early June 2025''': Both companies halted the data transmissions, removed the localhost calls from their analytics scripts, and said they were cooperating with Google on a longer-term fix.

===Response from Meta/Yandex===

Both companies stopped the data transfers and removed the localhost calls from their tracking scripts within days of the public disclosure. Neither has issued a detailed public statement, but each told reporters it was "working with Google" on a permanent fix <ref>{{Cite web |title=Meta pauses mobile port tracking tech on Android after researchers cry foul |url=https://www.theregister.com/2025/06/03/meta_pauses_android_tracking_tech/}}</ref>.

==Consumer response==

Privacy advocates and security commentators reacted with alarm and criticism, calling the covert localhost tracking a “massive privacy breach” that circumvents Incognito mode, cookie clearing, and Android’s sandbox to link every site visit to a real-world identity. Key complaints center on the deceptive use of a trusted OS feature, the comprehensive user profiles it enables, and the lack of prior disclosure or consent<ref>{{Cite web |title=Meta and Yandex abuse protocol functionality to secretly track users — even in private browsing mode |url=https://adguard.com/en/blog/meta-yandex-abuse-localhost-to-track-users.html}}</ref><ref>{{Cite web |title=Localhost Tracking: The New Privacy Battleground That Could Cost Meta Billions |url=https://redact.dev/blog/meta-yandex-localhost-tracking}}</ref>.

==References==
{{reflist}}

{{Ph-I-C}}

Covert web-to-app tracking by Meta and Yandex

2025-11-06T06:45:05Z

DerKork: add background

Covert web-to-app tracking by Meta and Yandex

2025-11-06T06:35:50Z

DerKork: Created page with "{{IncidentCargo |Company=Meta, Yandex |StartDate=2017-02 |EndDate=2025-01 |Status=Resolved |Product=Facebook, Instagram, Yandex Maps, Yandex Browser |ArticleType=Service |Type=Privacy, Surveillance, Unprompted Risk to Users |Description=Meta & Yandex apps on Android track users by listening on localhost ports, linking web activity to app identities, bypassing privacy measures. }} {{Ph-I-Int}} ==Background== {{Ph-I-B}} ==[Incident]== {{Ph-I-I}} ===[Company]'s response==..."