Meta’s Secret Spyware: ‘Local Mess’ Hack Tracks You Across the Web
None
<h5 style="text-align: center;"><a href="#sbbwis"><img decoding="async" class="alignright size-full" title="Anthony Quintano (cc:by)" src="https://securityboulevard.com/wp-content/uploads/2025/06/meta-privacy-richixbw-quintanomedia-cc-by-130x90.png" alt="Facebook CEO Mark Zuckerberg announces the plan to make Facebook more private at Facebook’s Developer Conference on April 30, 2019" width="130" height="90"></a><strong>Zuckerberg’s privacy pledge revealed as ineffectual.</strong></h5><p><strong>Millions of websites are leaking <em>your</em> private information to Meta,</strong> the parent company of Facebook, Instagram, etc. By hacking Android browser features in ways that were never intended, Meta is tracking <em>you</em> all the way around the web—with no disclosure nor oversight.<br><!--br--><br><strong>Incognito mode doesn’t stop it; neither does blocking third-party cookies.</strong> Russian social giant Yandex is doing it too.<br><!--br--><br><strong>As soon as researchers disclosed the problem, Meta stopped it</strong>—for now. In today’s <a href="https://securityboulevard.com/tag/sb-blogwatch/" target="_blank" rel="noopener">SB Blogwatch</a>, we go live in a cave.<br><!--br--><br><a title="Richi Jennings" href="https://www.richi.uk/" target="_blank" rel="noopener">Your humble blogwatcher</a> curated these bloggy bits for your entertainment. Not to mention: <i>Impossible challenges</i>.<br><!--br--></p><h2>Farcebok</h2><p id="sbbw1"><strong>What’s the craic?</strong> Dan Gooding broke the story: <a title="read the full text" href="https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/" target="_blank" rel="ugc noopener">Meta and Yandex are de-anonymizing Android users’ web browsing identifiers</a></p><p style="padding-left: 40px;"><strong>“<tt>Blatantly violates our security and privacy principles</tt>”</strong><br>Covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. … Tracking code [in] millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device.<br>…<br>The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.<br>…<br>Google said the behavior violates [its] terms of service: “[Meta and Yandex] are using capabilities present in many browsers … in unintended ways that blatantly violate our security and privacy principles. We’ve already implemented changes to mitigate these invasive techniques.” … Meta didn’t answer emailed questions, … but provided the following statement: “We are in discussions with Google to address a potential miscommunication regarding … their policies. … We decided to pause the feature while we work with Google to resolve the issue.”<br><!-----------------------------------------------------------------------------></p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p id="sbbw2"><strong>Them’s a lot of words.</strong> Matt Horne breaks it down: <a title="read the full text" href="https://www.androidauthority.com/meta-yandex-android-tracking-3563736/" target="_blank" rel="ugc noopener">This Android loophole could have let your apps spy on your web browsing</a></p><p style="padding-left: 40px;"><strong>“<tt>Invasive</tt>”</strong><br>You’ve long been reassured that using incognito mode or clearing cookies on your Android device will help prevent advertisers from tracking your web activity. However, new research shows that this may not be true. [Meta and Yandex] can still learn what websites you’re visiting, … even in incognito mode. That’s a big problem because it circumvents most common privacy protections.<br>…<br>Meta began using this technique in late 2024, but Yandex has reportedly been doing so since 2017. … The vast majority of sites with these trackers begin collecting this data as soon as you land on the page. … If all this sounds invasive, that’s because … it is.<br><!-----------------------------------------------------------------------------></p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="1eb185b30f3443f13f0da1c2-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="1eb185b30f3443f13f0da1c2-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p id="sbbw3"><strong>Horse’s mouth?</strong> Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara and Tim Vlummens disclose what they’re calling “<a title="read the full text" href="https://localmess.github.io/" target="_blank" rel="ugc noopener">Local Mess</a>”</p><p style="padding-left: 40px;"><strong>“<tt>Bridging ephemeral web identifiers</tt>”</strong><br>We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. … This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.<br>…<br>[It] allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs. … Fully addressing the issue will require … user-facing controls to alert users about localhost access, stronger platform policies accompanied by consistent and strict enforcement actions to proactively prevent misuse, and enhanced security around Android’s interprocess communication (IPC) mechanisms, particularly those relying on localhost connections.<br>…<br>UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible … has been almost completely removed.<br><!-----------------------------------------------------------------------------></p><p id="sbbw4"><strong>In part, Meta’s JavaScript tracker is misusing the WebRTC feature.</strong> <a title="read the full text" href="https://news.ycombinator.com/item?id=44179276" target="_blank" rel="ugc noopener">b0a04gl</a> is incensed:</p><p style="padding-left: 40px;">WebRTC was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost. The fact that a browser sandbox still leaks this info is wild. … And of course, this all runs under the radar—no prompt, no opt-in, just, “Oh hey, we’re just scanning your machine real quick.”<br>…<br>Kinda makes me nostalgic for simpler times—when tracking meant throwing 200 trackers into a <script> tag and hoping one stuck. Now it’s full-on black ops. I swear, I’m two updates away from running every browser in a Docker container inside a Faraday cage.<br><!-----------------------------------------------------------------------------></p><p id="sbbw5"><strong>Still, it’s great to hear Meta’s stopped doing it now, right? <i>Right???</i></strong> Wrong, thinks <a title="read the full text" href="https://forums.theregister.com/forum/all/2025/06/03/meta_pauses_android_tracking_tech/#c_5084028" target="_blank" rel="ugc noopener">DS999</a>:</p><p style="padding-left: 40px;">Meta … will either bring it back in a month after everyone has forgotten about it, or they have backup plans B, C and D to accomplish their tracking and they’ll switch to one of those. That’ll be good for a couple years until someone catches onto that scheme.<br><!-----------------------------------------------------------------------------></p><p id="sbbw6"><strong>But what can users do about it?</strong> <a title="read the full text" href="https://yro.slashdot.org/comments.pl?sid=23708925&cid=65425545" target="_blank" rel="ugc noopener">ukoda</a> has an easy fix:</p><p style="padding-left: 40px;">Don’t install those apps. … The easy fix is to not install the related native apps. Many years ago I looked at installing the Facebook app. That was back in the days when Android would list all the individual permissions the program required before doing the install. Back then I was shocked at the massive overreach of permission they were demanding so aborted the install and have never used social media apps on my phone, leaving that for Firefox.<br>…<br>Nowadays it comes as no surprise. It also comes as no surprise that most people—especially the younger ones—just don’t care and will happy give any company any info they want so they can keep endlessly scrolling through dross.<br><!-----------------------------------------------------------------------------></p><p id="sbbw7"><strong>Where’s the outrage?</strong> Here’s <a title="read the full text" href="https://arstechnica.com/civis/threads/meta-and-yandex-are-de-anonymizing-android-users%E2%80%99-web-browsing-identifiers.1507690/post-43767089" target="_blank" rel="ugc noopener">methodmadness00</a>’s sweary reax:</p><p style="padding-left: 40px;">****ing Meta — scummiest company on earth. Their entire business model depends on surveilling everyone, spreading and amplifying misinformation, stoking polarization, and generally making the world a much worse place. … This kind of malware-adjacent behavior is not even remotely shocking. … **** Zuck.<br><!-----------------------------------------------------------------------------></p><p id="sbbw8"><strong>Definitely avoid phones with preinstalled Meta apps.</strong> According to <a title="read the full text" href="https://www.reddit.com/r/Android/comments/1l2dqv7/comment/mvx01ly/" target="_blank" rel="ugc noopener">u/GolemancerVekk</a> <i>Local Mess</i> is only the start of it:</p><p style="padding-left: 40px;">Meta has, like, three apps that come preinstalled on new Android phones [from] Samsung. They’re system apps so permissions don’t apply to them and they can do a lot more things than normal apps.<br>— For one thing, they can install new apps and update apps without consent.<br>— Also, they can communicate with Meta apps that were installed normally and facilitate their access to private information, or bypass permissions they weren’t granted, or let them exchange information among themselves when they aren’t supposed to (for example across privacy profiles).<br><!-----------------------------------------------------------------------------></p><p id="sbbw9"><strong>Or, just switch to iPhone?</strong> <a title="read the full text" href="https://news.ycombinator.com/item?id=44177746" target="_blank" rel="ugc noopener">danieldk</a>’s got news for you:</p><p style="padding-left: 40px;">iOS sends data to metrics.apple.com, metrics.icloud.com, iadsdk.apple.com, etc. a lot. They are much better than Samsung, … but I am not convinced they are much better than Google devices. It’s more who you prefer sending your data to. In the end something like GrapheneOS is the only good choice: … All the security features of Pixel … and the tracking of neither.<br><!-----------------------------------------------------------------------------></p><p id="sbbw12"><strong>Meanwhile,</strong> this <a title="read the full text" href="https://forums.theregister.com/forum/all/2025/06/03/meta_pauses_android_tracking_tech/#c_5084044" target="_blank" rel="ugc noopener">Anonymous Coward</a> compares and contrasts, for context:</p><p style="padding-left: 40px;">It’s [the] sort of underhand behaviour you’d expect of authoritarian governments, not a social media company.<br><!-----------------------------------------------------------------------------></p><p><b><a title="And Finally" href="https://www.youtube.com/watch?v=CxX92BBhHBw&list=PL9zSC5i495YMjIuJjxToNGU8Ve7Gd5Rvj" target="_blank" rel="noopener"><em>Hey guys!</em> Maybe don’t try this at home.</a></b><script async defer src="https://scripts.withcabin.com/hello.js" type="1eb185b30f3443f13f0da1c2-text/javascript"></script><!-- zero-cookie analytics privacy: https://withcabin.com/privacy/securityboulevard.com --></p><p><a href="https://securityboulevard.com/2025/05/windows-update-open-richixbw/#sbbwaf" target="_blank" rel="noopener">Previously in <em>And Finally</em></a></p><hr><p><em>You have been reading <i>SB Blogwatch</i> by <a href="https://www.richi.uk/" target="_blank" rel="noopener">Richi Jennings</a>. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to <a href="https://twitter.com/richi" target="_blank" rel="ugc noopener">@RiCHi</a>, <a href="https://threads.net/@richij" target="_blank" rel="ugc noopener">@richij</a>, <a href="https://vmst.io/@richi" target="_blank" rel="ugc noopener">@<span class="__cf_email__" data-cfemail="9ceef5fff4f5dceaf1efe8b2f5f3">[email protected]</span></a>, <a href="https://bsky.app/profile/richi.bsky.social" target="_blank" rel="ugc noopener">@richi.bsky.social</a> or <a href="/cdn-cgi/l/email-protection#abd8c9c9dcebd9c2c8c3c285c8c485dec094d8dec9c1cec8df9686d8c9c9dc86"><span class="__cf_email__" data-cfemail="fa8998988dba8893999293d48f91">[email protected]</span></a>. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.</em></p><p>Image sauce: <a href="https://www.flickr.com/photos/quintanomedia/46985052844" target="_blank" rel="noopener" name="sbbwis">Anthony Quintano</a> (<a title="Some rights reserved" href="https://creativecommons.org/licenses/by/2.0/" target="_blank" rel="ugc noopener">cc:by</a>; leveled and cropped)</p><div class="spu-placeholder" style="display:none"></div>