AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
   Local Database  Slashdot   [403 / 477] RSS
 From   To   Subject   Date/Time 
Message   VRSS    All   Meta and Yandex Are De-Anonymizing Android Users' Web Browsing I   June 3, 2025
 4:20 PM   

Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Meta and Yandex Are De-Anonymizing Android Users' Web Browsing
Identifiers

Link: https://yro.slashdot.org/story/25/06/03/20525...

"It appears as though Meta (aka: Facebook's parent company) and Yandex have
found a way to sidestep the Android Sandbox," writes Slashdot reader
TheWho79. Researchers disclose the novel tracking method in a report: We
found that native Android apps -- including Facebook, Instagram, and several
Yandex apps including Maps and Browser -- silently listen on fixed local
ports for tracking purposes. These native Android apps receive browsers'
metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts
embedded on thousands of web sites. These JavaScripts load on users' mobile
browsers and silently connect with native apps running on the same device
through localhost sockets. As native apps access programmatically device
identifiers like the Android Advertising ID (AAID) or handle user identities
as in the case of Meta apps, this method effectively allows these
organizations to link mobile browsing sessions and web cookies to user
identities, hence de-anonymizing users' visiting sites embedding their
scripts. This web-to-app ID sharing method bypasses typical privacy
protections such as clearing cookies, Incognito Mode and Android's permission
controls. Worse, it opens the door for potentially malicious apps
eavesdropping on users' web activity. While there are subtle differences in
the way Meta and Yandex bridge web and mobile contexts and identifiers, both
of them essentially misuse the unvetted access to localhost sockets. The
Android OS allows any installed app with the INTERNET permission to open a
listening socket on the loopback interface (127.0.0.1). Browsers running on
the same device also access this interface without user consent or platform
mediation. This allows JavaScript embedded on web pages to communicate with
native Android apps and share identifiers and browsing habits, bridging
ephemeral web identifiers to long-lived mobile app IDs using standard Web
APIs. This technique circumvents privacy protections like Incognito Mode,
cookie deletion, and Android's permission model, with Meta Pixel and Yandex
Metrica scripts silently communicating with apps across over 6 million
websites combined. Following public disclosure, Meta ceased using this method
on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo
have implemented or are developing mitigations, but a full resolution may
require OS-level changes and stricter enforcement of platform policies to
prevent further abuse.

Read more of this story at Slashdot.

---
VRSS v2.1.180528
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Slashdot  <--  <--- Return to Home Page
VADV-PHP
Execution Time: 0.0165 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2025 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
 v2.1.250224