Android users tracked for years by Meta and Yandex

The Meta and Yandex companies tracked the web activity of Android users for months (and in the case of Yandex, years) by exploiting a little-known vulnerability in the system. Both companies received identification data from users' browsers if they had the appropriate applications installed on their devices.

Lifehacker writes about it.

How did the tracking process work?

The method is based on the use of the so-called "localhost", which allows applications with Internet access to interact with the device's browser. In a normal scenario, this is a technical function for internal system communication, but the researchers found that companies could obtain data about web browsing through JavaScript scripts — Meta Pixel and Yandex Metrica.

These scripts were supposed to work only within websites, but thanks to the loophole, data (including cookies, session IDs, and behavioral information) was transmitted directly to Instagram, Facebook, Yandex Maps, and other applications. It means that even after a normal visit to a website with Meta Pixel, the installed application could receive your browser data, without your knowledge or permission.

The vulnerable browsers were Chrome, Firefox, and Edge. DuckDuckGo blocked some domains, so it was minimally affected. The Brave browser did not allow such requests at all without user consent, so it was protected.

According to the study, Yandex started using this technique in 2017 on HTTP websites and in 2018 on HTTPS. Meta activated such tracking in September 2024, but stopped it in October. Later, they used other protocols, such as WebSocket and WebRTC.

Despite complaints from website owners that began to come to Meta in September, the company did not respond to them. This may indicate a deliberate disregard for the problem.

The researchers noted that technically, similar surveillance is possible on iOS, but Apple's restrictions on background processes probably prevented the implementation of such a practice on the iPhone. At least, there is no evidence of this yet.

As of June 5, researchers no longer record Meta Pixel's interaction with a local host. Yandex has promised to stop this practice, and Google has opened an investigation into actions that grossly violate the principles of security and privacy.

As a reminder, WhatsApp, which is owned by Meta, has once again caused a wave of discontent among users, this time due to the intrusive Meta AI button. Many have already dubbed it as an "affront" to the app.

We also wrote that modern smartphones have long gone beyond the usual means of communication — they can become objects of covert surveillance. Spyware often leaves no obvious traces, so it's important to pay attention to indirect signs and suspicious behavior of the device.