Android user web browsing data may have been provided to Meta and/or Yandex due to a “loophole” in the operating system’s loopback interface, regardless of the use of “incognito mode” or any other common privacy protections that would otherwise thwart user tracking.
The tech giants were able to exploit an issue with the Android “localhost” address that is used by software developers for testing server-based applications. Meta was likely listening in with its suite of major apps such as Facebook and Instagram, while users of Yandex apps such as Maps and its web browser may have also had de-anonymized web data exposed.
Ad networks abuse Android port to spy
The issue was discovered by a team of academic researchers who call the hidden user tracking technique “Local Mess.” The team estimates that potentially billions of Android users worldwide are impacted as the issue could have been exploited by many of both Meta and Yandex’s native Android apps.
The apps are listening in on this fixed “localhost” port on this device, working with the web-spanning advertising networks of the two companies (Meta Pixel and Yandex Metrica) that each have scripts embedded in the background of thousands of web sites. A user visiting a web site with one of those scripts present would activate an associated app on their device, which then collects metadata and cookies from the browsers as well as tracking user commands.
These items can also be linked to the unique Android Advertising ID for the device, or in the case of Meta apps the user’s account name, to de-anonymize the information that they absorb. As the researchers describe it, this user tracking technique would not be thwarted by any privacy settings or by using a browser’s Incognito Mode. Clearing cookies and web history would also not help, at least in terms of being individually identified when visiting a site with a Meta or Yandex script present. The exploit is also not necessarily limited to Meta and Yandex; any Android app with the “INTERNET” permission is able to open a listening socket on the loopback interface.
The technique does require an assist from the websites the user is visiting, however. For Meta, this includes those with the “_fbp” cookie that serves as the foundation of its advertising network. The researchers note that the Web Almanac 2024 found that this was the third most commonly found cookie on the web and is present on about 25% of the top one million websites; Meta Pixel is present on about 5.8 million sites in total. For Yandex this is with any site that makes use of Yandex Metrica, an analytics tool that is similar to Google Analytics. Recent research indicates that a little over half a million websites make use of it. The Yandex Browser, Maps, Navigator, Search, Metro in Europe and Go: Taxi Food apps are able to plug into the user tracking technique.
Surreptitious user tracking called a “miscommunication regarding policies” by Meta
Though the two ad networks and associated apps have been available for a very long time, the researchers think that the user tracking loophole was first exploited by Yandex in February 2017 (with exploitation of https connections not seen until a year later) and by Meta Pixel in September 2024. Some browsers have either already deployed countermeasures or are slated to: Chrome version 137 (released in late May) blocks the technique, DuckDuckGo has deployed a blocklist that minimizes the impact, and all Brave versions since 2022 are not impacted as localhost communications require user consent. Firefox says that it will add countermeasures as a forthcoming update to version 139.
Meta called the user tracking issue a “potential miscommunication regarding the application of (Google’s) policies,” but has stopped its Pixel scripts from sending data to localhost since the day after the Local Mess report was published. Yandex has also said that it is pausing the practice and is in touch with Google about the issue. Google responded to the report by saying that the technique is a violation of the terms of the Play Store and a betrayal of user trust.
The researchers say that the user tracking loophole is also at least theoretically possible with iOS, though the companies would have to find their way around more restrictive controls on localhost communications on Apple devices and that there are no signs of attempts at this as of yet. And they caution that developers might bypass new browser safeguards by updating the technique to use a different port, a matter they say is relatively simple.
Ted Miracco, a mobile cybersecurity expert and CEO of Approov, notes that this could also result in regulatory action being taken against Google due to violation of data privacy requirements in the EU (among other regions): “This technique represents a deliberate circumvention of established privacy safeguards, undermining cookie deletion, incognito browsing, and the fundamental separation between browser and app activity. By facilitating persistent cross-context tracking without user knowledge or consent, Meta appears to be in direct violation of key provisions of the GDPR, CCPA, and ePrivacy Directive. Given Meta’s history, this warrants immediate regulatory scrutiny and reinforces the urgent need for stronger enforcement of data protection standards.”
