Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.
Useless article, but at least they link the source: localmess.github.io
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.
📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
einkorn@feddit.org 3 weeks ago
Well, it’s always been a cat and mouse game.
Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!
Kerb@discuss.tchncs.de 3 weeks ago
they still try that?
i can’t remember the last time i have seen one of those warnings.
cygnus@lemmy.ca 3 weeks ago
I’m guessing you use Firefox? It’s much better at evading that tracking.
UnderpantsWeevil@lemmy.world 3 weeks ago
The business cycle dictates that companies try to re-implement bad ideas every six months to two years.
If the idea was good, they’d have implemented it and made their money. Only bad ideas are still ripe for exploitation and new economic growth, because you haven’t had someone as smart as me to make them work right.
Sixtyforce@sh.itjust.works 3 weeks ago
Google doesn’t do global roll outs with their updates. The anti adblock stuff especially. They target only some % of randomly selected users to spread confusion online, and I would guess their hope is to frustrate people into disabling ad blockers on Youtube after reading a bunch of misinformation and placebo bad advice when looking for tech support.
raltoid@lemmy.world 3 weeks ago
Fair warning: Last week my account was seemingly shadowbanned, and now gets “This content isn’t available” on every video.
Logging out plays videos, making a new brand account worked, etc. and no notification from youtube.
limerod@reddthat.com 3 weeks ago
You were shadowbanned for watching youtube in a web browser with adblock? Sounds excessive.
Snowpix@lemmy.ca 3 weeks ago
If you happen to use BlockTube, disable it. It’s currently triggering the adblock detection.