Skip to content

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica

Technology
58 39 786
  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    Well, it's always been a cat and mouse game.

    Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    I am assuming all of this trash is blocked by uBlock Origin?

  • Well, it's always been a cat and mouse game.

    Just earlier today, I got a pop-up on YouTube about how they would block me after 3 videos because I use an ad blocker. Jump to now and everything is fine again. Thank you, uBlock Origin!

    they still try that?

    i can't remember the last time i have seen one of those warnings.

  • they still try that?

    i can't remember the last time i have seen one of those warnings.

    I'm guessing you use Firefox? It's much better at evading that tracking.

  • I am assuming all of this trash is blocked by uBlock Origin?

    Seems like it's transferred through a cookie and javascript, so in theory you can block it with ublock or noscript and the like, but a sure way to block is to not have meta apps installed on your phone (or not signed in).

  • Seems like it's transferred through a cookie and javascript, so in theory you can block it with ublock or noscript and the like, but a sure way to block is to not have meta apps installed on your phone (or not signed in).

    I don't have any Meta apps installed. 🙂

  • I don't have any Meta apps installed. 🙂

    That's the fun part. They come preinstalled!

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    Useless article, but at least they link the source: https://localmess.github.io/

    We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

    These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

    📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    Block all tracking scripts and use Firefox Nightly with ublock when possible.

  • I don't have any Meta apps installed. 🙂

    No WhatsApp?

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    Consider getting a modern Pixel w/GrapheneOS!

    • Slaps his lap.

    It has the Vanadium.

  • That's the fun part. They come preinstalled!

    .

  • Block all tracking scripts and use Firefox Nightly with ublock when possible.

    Not sure about the "nightly" part (as opposed to beta or stable), but yes.

  • Consider getting a modern Pixel w/GrapheneOS!

    • Slaps his lap.

    It has the Vanadium.

    Are you suggesting something like LineageOS is a better choice?

    (Seriously asking: I've got a new-to-me Pixel that I'm looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)

  • they still try that?

    i can't remember the last time i have seen one of those warnings.

    The business cycle dictates that companies try to re-implement bad ideas every six months to two years.

    If the idea was good, they'd have implemented it and made their money. Only bad ideas are still ripe for exploitation and new economic growth, because you haven't had someone as smart as me to make them work right.

  • Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

    The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

    We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.

    Aside from having uBlock Origin and not having any Meta/Yandex apps installed, anyone aware of additional Firefox settings that could help shut this nonsense down?

  • I am assuming all of this trash is blocked by uBlock Origin?

    EasyPrivacy should block Meta and Yandex pixels by default. If you have the knowledge you can put uBO in "hard mode" which will block all 3p connections. It requires you to know which CDNs to allow or websites will be broken.

  • I'd nail my foot to the floor before I installed WhatsApp.

  • Are you suggesting something like LineageOS is a better choice?

    (Seriously asking: I've got a new-to-me Pixel that I'm looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)

    I'm running Graphene and I'm very happy with it.

  • 621 Stimmen
    143 Beiträge
    3k Aufrufe
    spicedealer@lemmy.dbzer0.comS
    Couldn't agree more.
  • Real Match Dating Apps

    Technology technology
    1
    0 Stimmen
    1 Beiträge
    16 Aufrufe
    Niemand hat geantwortet
  • Seven Goldfish

    Technology technology
    1
    5 Stimmen
    1 Beiträge
    18 Aufrufe
    Niemand hat geantwortet
  • 15 Stimmen
    1 Beiträge
    20 Aufrufe
    Niemand hat geantwortet
  • Resurrecting a dead torrent tracker and finding 3 million peers

    Technology technology
    59
    321 Stimmen
    59 Beiträge
    644 Aufrufe
    I
    Yeah i suppose any form of payment that you have to keep secret for some reason is a reason to use crypto, though I struggle to imagine needing that if you're not doing something dodgy imagine you’re a YouTuber and want to accept donations: that will force you to give out your name to them, which they could use to get your address and phone number. There’s always someone that hates you, and I rather not have them knowing my personal info Wat. Crypto is not good at solving that, it's in fact much much worse than traditional payment methods. There's a reason scammers always want to be paid in crypto if you’re the seller then it’s a lot better. With the traditional banking system, with enough knowledge you can cheat both sides: stolen cards, abusive chargebacks, bank accounts in other countries under fake name/fake ID… Crypto simplifies scamming when the seller, and pretty much makes it impossible for buyers What specifically are you boycotting? Card payments, international tranfers, national transfers taking days to complete, money being seizable at all times many banks lose money on them Their plans are basically all focused on the card you get. Pretty sure they make money with it, else many wouldn’t offer cash back (selling infos and getting a fee from card payments?) if you think the people that benefit from you using crypto (crypto exchange owners and billionaires that own crypto etc.) are less evil than goverment regulated banks, you're deluded. Banks are evil anyways, does it really change anything? The difference is that it technically helps everyone using crypto, not only the rich. Plus P2P exchanges are a thing You'll spend more money using crypto for that, not less That’s just factually false. Do you know the price of a swift transfer? Now compare it to crypto tx fees, with many being under $0.01
  • 149 Stimmen
    33 Beiträge
    306 Aufrufe
    B
    That’s not the right analogy here. The better analogy would be something like: Your scary mafia-related neighbor shows up with a document saying your house belongs to his land. You said no way, you have connections with someone important that assured you your house is yours only and they’ll help you with another mafia if they want to invade your house. The whole neighborhood gets scared of an upcoming bloodbath that might drag everyone into it. But now your son says he actually agrees that your house belongs to your neighbor, and he’s likely waiting until you’re old enough to possibly give it up to him.
  • 1 Stimmen
    1 Beiträge
    24 Aufrufe
    Niemand hat geantwortet
  • 131 Stimmen
    67 Beiträge
    699 Aufrufe
    I
    Arcing causes more fires, because over current caused all the fires until we tightened standards and dual-mode circuit breakers. Now fires are caused by loose connections arcing, and damaged wires arcing to flammable material. Breakers are specifically designed for a sustained current, but arcing is dangerous because it tends to cascade, light arcing damages contacts, leading to more arcing in a cycle. The real danger of arcing is that it can happen outside of view, and start fires that aren't caught till everything burns down.