Meta Platforms Inc., the parent company of Facebook and Instagram, has paused its mobile port tracking technology on Android after researchers exposed the use of native apps to listen on localhost ports, allowing them to link web browsing data to user identities. The Russian search engine Yandex was also found to have used this technique, dating back to 2017.
Security researchers from IMDEA Networks, Radboud University, and KU Leuven published a report detailing the methods used by Meta and Yandex to bypass typical privacy protections on Android devices. They found that the companies were using native apps to receive browsers’ metadata, cookies, and commands from scripts embedded on thousands of websites.
The technique involves opening localhost ports that allow Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers. This allows Meta and Yandex to link mobile browsing sessions and web cookies to user identities, bypassing common privacy safeguards like cookie clearing, Incognito Mode, and Android’s app permission system.
Meta has since removed the tracking code and stopped sending data to localhost, while Yandex’s use of this technique has not been publicly disclosed. However, the exposure has led to several mitigations, including Chrome 137 blocking the SDP Munging technique used by Meta Pixel, Mozilla Firefox receiving a fix, and Brave requiring user consent for localhost use.
The researchers suggest creating a new “local network access” permission that could help mitigate localhost-based tracking in the future.
Source: https://www.theregister.com/2025/06/03