alt Hacker NewsCovert Web-to-App Tracking via Localhost on Android
Comments
This is the overall process used by Meta as I understand it, taken from https://localmess.github.io/:
1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
I wish we could just ban advertising and tracking on the internet. I feel like so much crap these days has come out of it, all so that CEOs can afford an extra yacht
Actual report: https://localmess.github.io/
>Google says it's investigating the abuse
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
Another reason not to install big tech's apps and only use their websites if you must.
Not only our their websites painful which discourages use, websites are more sandboxed.
webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost. the fact that a browser sandbox still leaks this info is wild. like, you’re telling me port 43800 says more about me than a cookie ever could? and of course, this all runs under the radar—no prompt, no opt-in, just “oh hey, we’re just scanning your machine real quick.” insane. might as well call it metascan™.
kinda makes me nostalgic for simpler times—when tracking meant throwing 200 trackers into a <script> tag and hoping one stuck. now it’s full-on black ops.
i swear, i’m two updates away from running every browser in a docker container inside a faraday cage.
The EU should set some record breaking fines for this.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
*: Meta Pixel script was last seen sending via HTTP in Oct 2024, but Facebook and Instagram apps still listen on this port today. They also listen on port 12388 for HTTP, but we have not found any script sending to 12388.
**: Meta Pixel script sends to these ports, but Meta apps do not listen on them (yet?). We speculate that this behavior could be due to slow/gradual app rollout.
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
Can this cross profiles? That would be a big security issue for corps.
Quick test and if I serve on 8080 on the Userland app it can be accessed from both profiles. So probably yes.
This means an infected app on your personal profile could exchange data with a site visited from a second profile.
Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?
There is a cert for it in the logs: https://crt.sh/?q=yandexmetrica.com
I built a little lan tool https://router.fyi that tries to get LAN data for a sort of online-nmap. depending on your browser, it's sometimes capable of finding wifi printers and a couple other smart home devices i've manually added.
A comment I wrote in another HN thread [0] covering this issue:
Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.
There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.
Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].
I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.
That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.
0: https://news.ycombinator.com/item?id=44170099
1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
2: https://nullsweep.com/why-is-this-website-port-scanning-me/
3: https://addons.mozilla.org/firefox/addon/port-authority
4: https://github.com/ACK-J/Port_Authority
5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Firefox about:config toggle media.peerconnection.enabled from true to false
Further, Netguard plus Nebulo in non-VPN mode can stop unwanted connections to Meta servers
All apps + the web browser being able to communicate freely over a shared localhost interface is such a glaring security hole that I'm surprised both iOS and Android allow it. What even is a legitimate use case for an app starting a local web server?
Of course the ID was easy to abuse, and I assume Google knew this, and also knew they'd need to have rules against abuse... and that they'd need to back up the rules with penalties, like Play Store permaban, legal action for damages, and maybe even referral for criminal investigation (CFAA violation?).
Unfortunately, even if they did have such rules, in this case, Meta is a too-big-to-deplatform tech company.
(Also, even if it wasn't Meta, sketchy behavior of tech might have the secret endorsement of IC and/or LE. So, making the sketchiness stop could be difficult, and also difficult to talk about.)
I love how the engineers and product managers who implemented this are not held responsible in any meaningful way.
Why don't all browsers, desktop and mobile, just block all cross-origin access to localhost?
Sounds like loading from the domains serving the meta pixel should be blockable in the first place.
Love the url slug: headline-to-come. It now redirects to a more boring one though.
Probably hard to do for many but the solution seems be not to have their apps installed. It’s crazy to me that people tolerate FB et al on their devices where you have absolutely no control over what they’re doing.
We changed the URL from https://arstechnica.com/security/2025/06/meta-and-yandex-are... which is a report about this disclosure.
It actually bothers me it took so long to be discovered.
No doubt, whatever "vulnerability" is found, you have already to agreed to it in some buried TOS.
And with all that tracking and spying on me, plus a boatload of voluntarily submitted data, and Facebook still can't/won't show me any relevant advertising. I mean, even from the corpo point of view. Whenever I open my feed to read something, I see a boatload of complete garbage ads. Like, they are neither enticing to me nor they are promoting something corpos may want to shove in my fae so I would remember, like some Coca-Cola or whatever product. But no, they have nothing.
I've just opened my feed in FB and let's see what ads will be today:
Group Dull Men's Club - some garbage meme dump, neither interesting nor selling any product or service.
Women emigrant group - I'm a male and in different location.
Rundown - some NN generated slop about NN industry
Car crash meme group from a different location.
Math picture meme group
LOTR meme group
Photo group with a theme I'm not interested
Repeat of the above
Another meme group
Roland-Garros page - I've never watched tennis or wrote about it. My profile has follows of a different sport pages altogether. None of those rise in the ads.
Another fact/meme group
Repeat
Repeat
Another fact/meme group
Expat group from incorrect location
And so on it goes. Like, who pays for all this junk? Who coordinates targeting? Why do they waste both their and mine capacity for something that useless both for me and Facebook? I would understood if FB had ads of products/services, or something that loosely follows by likes. But what they have is a total 100% miss. It's mindboggling.
I'm surprised browsers don't isolate each of the localhost/localnet/internet networks from each other. Are there any use-cases for allowing this?
I'm using RethinkDNS as a combined firewall and wireguard VPN. I added these two block rules:
127.0.0.0/8
::1/128
I'll update here with any issues.
I'm incredibly glad this isn't occurring in the UK + EU, because GDPR and the huge fines levied against Meta in the past have scared them sufficiently into not doing this kind of behaviour.
Is there a similar thing on iOS? I always wonder when a random app asks to “find devices on my network”
Does that work across profiles? I have to use some apps from such spyware oriented companies and usually put them in isolated profile with shelter.
I wonder whether local ports opened in isolated "work" android profile are accessible by main profile.
Not surprising, it's legal, but only if you are a multi-billion dollars company.
A quite obvious attack mechanism, I'm surprised browsers permitted this in the first place. I can't think of a reason to STUN/TURN to localhost. Aside from localhost, trackers can also use all other IP addresses available to the browser to bind their apps/send traffic to.
Now that the mechanism is known (and widely implemented), one could write an app to notify users about attempted tracking. All you need to do is to open the listed UDP ports and send a notification when UDP traffic comes in.
For shit and giggles I was pondering if it was possible to modify Android to hand out a different, temporary IPv6 address to every app and segment off any other interface that might be exposed just because of shit like this (and use CLAT or some fallback mechanism for IPv4 connectivity). I thought this stuff was just a theoretical problem because it would be silly to be so blatant about tracking, but Facebook proves me wrong once again.
I hope EU regulators take note and start fining the websites that load these trackers without consent, but I suspect they won't have the capacity to do it.
Simple question: would disabling apps from running in the background prevent this? Or, more simply, not staying logged into an app on your phone?
"UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.
Doing something like this should result in Meta and such being legally annihilated. But nothing will happen, as usual.
Sounds like blocking these tracking scripts using uBlockOrigin probably prevents this. Another reason to use uBlockOrigin.
Crap like this is why I haven't had the Facebook or Instagram apps installed for years. I still have accounts, but I only visit them via the browser.
Facebook is stealing people's data? No way.
I hope a judge gives them a warning.
I wonder if companies like Wetter Online (from whom we know that they're selling the location data to brokers [0]) or ad service providers which offer libraries do the same.
If it were so, Google should be knowingly be allowing this to happen and be a co-conspirator. I mean, they surveil our devices as if it were their home. Impossible that they're not aware.
[0] https://netzpolitik-org.translate.goog/2025/databroker-files...
If you are even mildly technical you NEED to have a Pihole + Tailscale setup on your home network and all devices. Block all this malware at the root.
So Meta apps are spyware. And Zuck agains has got his finger in his mouth and a cat on his lap.
To me it's weird that they're willing to misuse browser APIs so blatantly for interprocess communication, when, as I understand it, server-side correlation using a combination of IP, battery level and screen dimensions probably already gets them 95% of the surveillance capability.
Ah yes, and every small Android dev is banned from Play and Admob for tiny unknown reasons, with no recourse or way to communicate with Google. But Meta here probably won't get any problems at all. They should be temporarily banned!
On many threads here regarding EU fines, I see the sentiment "The EU only fines US tech to make a quick buck!".
It could be an idea to, you know, stop doing these things. Would be great to see another few $billion fine for this one.
A commenter mentioned [1] that major Russian apps now all ask for permission to read a unique device ID to deanonymize users. The people that stopped Intel from adding such an ID to their CPUs had perfect foresight [2] (too bad later Intel added it anyway). But then it's not hard to guess that if you include a feature whose purpose is to attack the user, it will be used to attack the user.
[1] https://arstechnica.com/security/2025/06/meta-and-yandex-are...
[2] https://en.wikipedia.org/wiki/Pentium_III#Controversy_about_...
This just reinforced the use of uMatrix. Governments should mandate browser vendors to implement any standards gorhill might come up with.
Another similar tracking vector that lets any app detect all installed apps by using android.intent.action.MAIN Query: https://support.google.com/googleplay/android-developer/thre... without the QUERY_ALL_PACKAGES permission.
No response from Google. Being used by dozens of apps in the wild.
Edit: Original Research link: https://peabee.substack.com/p/everyone-knows-what-apps-you-u... (HN: https://news.ycombinator.com/item?id=43518866 , 482 comments)
This is yet another reason for installing very few apps
Can you imagine the mental hoops you’d need to jump through as a developer to persuade yourself that this is a valid thing to implement?
Also:
Meta pauses mobile port tracking tech on Android after researchers cry foul – https://www.theregister.com/2025/06/03/meta_pauses_android_t...