Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
-
schrieb am 3. Juni 2025, 13:06 zuletzt editiert von
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 13:18 zuletzt editiert vonWell, it's always been a cat and mouse game.
Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 13:28 zuletzt editiert vonI am assuming all of this trash is blocked by uBlock Origin?
-
Well, it's always been a cat and mouse game.
Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!
schrieb am 3. Juni 2025, 13:46 zuletzt editiert vonthey still try that?
i can't remember the last time i have seen one of those warnings.
-
they still try that?
i can't remember the last time i have seen one of those warnings.
schrieb am 3. Juni 2025, 13:52 zuletzt editiert vonI'm guessing you use Firefox? It's much better at evading that tracking.
-
I am assuming all of this trash is blocked by uBlock Origin?
schrieb am 3. Juni 2025, 13:57 zuletzt editiert vonSeems like it's transferred through a cookie and javascript, so in theory you can block it with ublock or noscript and the like, but a sure way to block is to not have meta apps installed on your phone (or not signed in).
-
Seems like it's transferred through a cookie and javascript, so in theory you can block it with ublock or noscript and the like, but a sure way to block is to not have meta apps installed on your phone (or not signed in).
schrieb am 3. Juni 2025, 14:13 zuletzt editiert vonI don't have any Meta apps installed.
-
I don't have any Meta apps installed.
schrieb am 3. Juni 2025, 14:38 zuletzt editiert vonThat's the fun part. They come preinstalled!
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 15:49 zuletzt editiert vonUseless article, but at least they link the source: https://localmess.github.io/
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.
UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 15:52 zuletzt editiert vonBlock all tracking scripts and use Firefox Nightly with ublock when possible.
-
I don't have any Meta apps installed.
schrieb am 3. Juni 2025, 15:53 zuletzt editiert vonNo WhatsApp?
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 16:16 zuletzt editiert von eeyore_syndrome@sh.itjust.works 6. März 2025, 18:19 -
That's the fun part. They come preinstalled!
schrieb am 3. Juni 2025, 16:23 zuletzt editiert von umbrella@lemmy.ml.
-
Block all tracking scripts and use Firefox Nightly with ublock when possible.
schrieb am 3. Juni 2025, 16:26 zuletzt editiert vonNot sure about the "nightly" part (as opposed to beta or stable), but yes.
-
schrieb am 3. Juni 2025, 16:28 zuletzt editiert von grue@lemmy.world 6. März 2025, 18:29
Are you suggesting something like LineageOS is a better choice?
(Seriously asking: I've got a new-to-me Pixel that I'm looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)
-
they still try that?
i can't remember the last time i have seen one of those warnings.
schrieb am 3. Juni 2025, 16:35 zuletzt editiert vonThe business cycle dictates that companies try to re-implement bad ideas every six months to two years.
If the idea was good, they'd have implemented it and made their money. Only bad ideas are still ripe for exploitation and new economic growth, because you haven't had someone as smart as me to make them work right.
-
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.
Ars Technica (arstechnica.com)
schrieb am 3. Juni 2025, 16:37 zuletzt editiert von rvtv95xbeo@sh.itjust.works 6. März 2025, 18:39We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.
Aside from having uBlock Origin and not having any Meta/Yandex apps installed, anyone aware of additional Firefox settings that could help shut this nonsense down?
-
I am assuming all of this trash is blocked by uBlock Origin?
schrieb am 3. Juni 2025, 16:39 zuletzt editiert vonEasyPrivacy should block Meta and Yandex pixels by default. If you have the knowledge you can put uBO in "hard mode" which will block all 3p connections. It requires you to know which CDNs to allow or websites will be broken.
-
No WhatsApp?
schrieb am 3. Juni 2025, 16:51 zuletzt editiert vonI'd nail my foot to the floor before I installed WhatsApp.
-
Are you suggesting something like LineageOS is a better choice?
(Seriously asking: I've got a new-to-me Pixel that I'm looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)
schrieb am 3. Juni 2025, 16:52 zuletzt editiert von theloweststone@lemmy.world 6. März 2025, 18:52I'm running Graphene and I'm very happy with it.
-
Microsoft Used China-Based Support for Multiple U.S. Agencies, Potentially Exposing Sensitive Data
Technology58 vor 13 Tagenvor 16 Tagen1
-
-
BBC gains rare access to the Congolese mine powering mobile phones
Technology58 vor 28 Tagenvor 29 Tagen1
-
-
-
Flock Removes States From National Lookup Tool After ICE and Abortion Searches Revealed
Technology 26. Juni 2025, 00:201
-
The Current System of Online Advertising has Been Ruled Illegal by The Belgian Court of Appeal. Advertising itself is Still Allowed, but not in a Way That Secretly Tracks Everyone’s Behavior.
Technology 10. Juni 2025, 13:221
-