Security researchers have revealed that Meta and Yandex have been utilizing native Android applications to listen on localhost ports, enabling them to link web browsing data to user identities while circumventing standard privacy protections. Following these alarming disclosures, it was noted that Meta's Pixel script ceased sending data to localhost, leading to a significant reduction in the tracking code used in their applications. This decision could potentially help Meta evade scrutiny under Google Play policies, which explicitly prohibit covert data collection within apps.
In a statement to The Register, a Meta spokesperson commented, "We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue." However, the spokesperson did not provide further details regarding the ongoing discussions with Google.
In a comprehensive report released on Tuesday, a group of computer scientists from IMDEA Networks in Spain, Radboud University in the Netherlands, and KU Leuven in Belgium detailed how the prominent US social media company and the Russian search engine have been observed using native Android applications to collect web cookie data through the device's loopback interface, commonly known as localhost. This localhost interface is a loopback address that enables a device to make network requests to itself, frequently utilized by software developers to test server-based applications like websites.
The researchers—Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens—discovered that native Android applications such as Facebook, Instagram, and Yandex's Maps and Browser were silently listening on fixed local ports for tracking purposes. These apps receive browser metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts that are embedded on thousands of websites. This means that in addition to tracking users across the web, these applications can access device identifiers like the Android Advertising ID, allowing the researchers to link mobile browsing sessions and web cookies back to individual user identities.
Essentially, by opening localhost ports, Meta and Yandex can receive tracking data such as cookies and browser metadata from scripts running in mobile browsers. This bypasses common privacy safeguards like cookie clearing, Incognito Mode, and Android's app permission system. Furthermore, this technique challenges the established norms surrounding first-party cookies, which are not expected to track browsing activity across different websites. According to the researchers, "the method we disclose allows the linking of different _fbp cookies to the same user, which bypasses existing protections and runs counter to user expectations."
In relation to Meta, this tracking process involves scripts associated with the Meta Pixel, an analytics tool used by marketers to gather data about user interactions with various websites. The researchers identified several APIs and protocols that could facilitate this app-web eavesdropping scheme, including SDP munging, WebSocket, WebRTC, STUN, and TURN methods.
The researchers elaborated on how Meta executes this strategy: when a user opens the Facebook or Instagram app, it runs a background service that listens for incoming traffic on specific TCP and UDP ports. This process requires users to be logged in to their accounts. When a user opens their browser and visits a website that integrates the Meta Pixel, the script may request user consent based on various factors such as location.
The Meta Pixel script then transmits the _fbp cookie to the native apps through protocols like WebRTC and SDP Munging. The apps subsequently send the _fbp value as a GraphQL mutation to Meta's servers, linking the user's web visit with their Facebook or Instagram account. Researchers noted that this technique began being implemented by Meta in September 2024, utilizing HTTP data transmission initially, but later shifting to other methods.
As of June 3rd, the researchers confirmed that the Meta/Facebook Pixel script was no longer sending any packets or requests to localhost, indicating a significant reduction in the tracking activities. The code responsible for sending the _fbp cookie had been nearly entirely removed. In contrast, Yandex's use of localhost-based tracking reportedly dates back to 2017.
The Register attempted to reach out to Yandex for comments concerning the researchers' findings but was met with an unresponsive inquiry. Following the report's disclosure to Android browser vendors, several mitigations have been initiated. Notably, Chrome 137, released on May 26, 2025, includes countermeasures designed to block the SDP Munging technique employed by Meta Pixel, although these are currently available only to a limited user group. A fix for Mozilla Firefox is also in development, while Brave remains unaffected due to its consent requirement for localhost use. Additionally, DuckDuckGo has adjusted its blocklist to prevent Yandex's scripts from running.
