Researchers have uncovered that a tracking code embedded by Meta and the Russia-based Yandex in millions of websites is effectively de-anonymizing visitors. This is accomplished by exploiting legitimate Internet protocols, leading to browsers like Chrome sending unique identifiers to native applications installed on users' devices. Google has confirmed that it is investigating this concerning abuse, which enables both companies to convert temporary web identifiers into persistent mobile app user identities.
The covert tracking methodologies employed by Meta Pixel and Yandex Metrica allow these companies to circumvent critical security and privacy protections integrated into the Android operating system and its browsers. For instance, Android sandboxing is designed to isolate processes, preventing interaction with the OS or any other installed applications. This isolation is crucial for safeguarding sensitive data and privileged system resources.
Defensive measures like state partitioning and storage partitioning are built into all major browsers, ensuring that site cookies and data associated with a website are stored in unique containers, inaccessible to other sites. However, the tracking methods employed by Meta and Yandex effectively breach these fundamental security principles.
Narseo Vallina-Rodriguez, one of the researchers involved in this discovery, emphasized the significance of sandboxing in both web and mobile systems. “What this attack vector allows is to break the sandbox between the mobile context and the web context,” he stated. This breach enables the Android system to communicate browser activities with identities tied to mobile applications.
The tracking bypasses, which Yandex initiated in 2017 and Meta began in September 2022, facilitate the transmission of cookies or identifiers from Firefox and Chromium-based browsers to native Android applications such as Facebook and Instagram. Consequently, these companies can link extensive browsing histories to the accounts of users logged into their apps.
This invasive tracking practice seems to be limited to Android users, with evidence indicating that Meta Pixel and Yandex Metrica are predominantly targeting this user base. There is a possibility that similar tactics could be employed against iOS users since browsers on that platform allow developers to create programmatic localhost connections that apps can monitor. However, Android offers fewer restrictions on local communications, making it easier for these trackers to function effectively.
Meta Pixel and Yandex Metrica are analytics tools designed to assist advertisers in evaluating the effectiveness of their campaigns. With an estimated installation on 5.8 million and 3 million websites respectively, the methods used to bypass protections involve exploiting basic functionalities in modern mobile browsers that permit browser-to-native app communications.
The researchers noted that both Meta Pixel and Yandex Metrica misuse protocol functionality to gain unauthorized access to localhost ports on the 127.0.0.1 IP address. This access allows the tracking scripts to send web requests containing identifiers to the local ports, which are monitored by Facebook, Instagram, and Yandex applications. These apps can then associate pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ online activities.
A representative from Google stated that the behavior exhibited by Meta and Yandex violates the terms of service of its Play marketplace and the privacy expectations of Android users. “These capabilities are being misused in ways that blatantly contravene our security and privacy principles,” the representative mentioned. Google has taken steps to mitigate these invasive techniques and has initiated its own investigation while engaging with the implicated parties.
In response to the allegations, Meta has expressed its intention to address potential miscommunication regarding Google’s policies. The company has paused the contentious feature while collaborating with Google to resolve the identified issues. Yandex has yet to respond to requests for comment.
The researchers detailed how Meta Pixel initiated covert listening practices beginning in September 2022 by triggering HTTP requests to port 12387. Although the tracking scripts ceased sending data shortly thereafter, Facebook and Instagram applications continued to monitor this port. By November, Meta Pixel had transitioned to a new method utilizing WebSocket, a two-way communication protocol, over the same port.
This involved a complex technique known as SDP munging, which manipulates Session Description Protocol data before transmission. This method allows the browser to send identifiers as part of a STUN request to the Android local host, where the Facebook or Instagram app can access and link it to the user’s account.
Some Android browsers, such as DuckDuckGo, have already started blocking domains and IP addresses associated with these invasive trackers, effectively preventing the transmission of identifiers to Meta. The Brave browser has also implemented measures to block identifier sharing due to its comprehensive blocklists. Additionally, Vivaldi has settings that can be adjusted to prevent browsing history leakage.
While the current mitigations are effective, researchers warn that they could become obsolete. “Any browser using blocklisting will likely enter into a constant arms race,” Vallina-Rodriguez cautioned, stressing that the ideal solution lies in designing robust privacy and security controls for localhost channels, enabling users to manage and limit such communications.
Researchers advocate for a fundamental overhaul of how Android manages access to local ports. “The unrestricted access to local host sockets on Android is a significant vulnerability. Users currently lack the means to prevent this type of communication on their devices,” Vallina-Rodriguez explained.
As the situation evolves, the collective efforts of browser developers and security researchers will be critical in establishing long-term solutions to combat the de-anonymization tactics employed by Meta and Yandex and to enhance the overall privacy and security of users.
