Comment on Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
General_Effort@lemmy.world 3 days ago
Useless article, but at least they link the source: localmess.github.io
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.
📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
pineapplepizza@lemm.ee 2 days ago
Thanks for the update, pitchforks down people. Let’s go back to blindly trusting these anti consumer cabals.
General_Effort@lemmy.world 2 days ago
I almost didn’t copy the update because my focus was on the technical background. I did a double-check before submitting, if I caught the gist correctly, and decided that people would probably want to know that the report triggered that change.