Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.
Not surprising, it’s always expected from tech corporations, where at the end of the day it’s profit and favor with conservative politicians. If they’re not trying to use information gathered on people to bad government looking to cut costs (“saving taxpayers’ money”) by removing minority beneficiaries, they love to shove content you don’t even want.
Why I never use my real name online.
Useless article, but at least they link the source: https://localmess.github.io/
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.
📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
Thanks for the update, pitchforks down people. Let’s go back to blindly trusting these anti consumer cabals.
I almost didn’t copy the update because my focus was on the technical background. I did a double-check before submitting, if I caught the gist correctly, and decided that people would probably want to know that the report triggered that change.
We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.
Aside from having uBlock Origin and not having any Meta/Yandex apps installed, anyone aware of additional Firefox settings that could help shut this nonsense down?
I feel like that’s all you need. You don’t have their apps installed, so the problem is already solved. If you use uBlock Origin to block their trackers, the problem is solved. So you’ve solved it twice.
Yes and no, I’ve treated the symptoms, but not the problem. All it takes is a trillion dollar company buying a new domain every once in a while to foil uBlock, and now that it’s more known, anyone can create an an app that opens ports and listens for trackers.
Would love it if Firefox would let me block all requests to localhost.
De-anonymising Yandex
Me: Ha! Good thing I am not Russian!
De-anonymising Meta
Me: Damn…and it is hard for me to let go because my social circle use Meta-owned social media and couldn’t care less about privacy…I am toast…
I am assuming all of this trash is blocked by uBlock Origin?
Check that “Filter lists > Privacy > Block outsider intrusion into LAN” is enabled and you should be fine
Seems like it’s transferred through a cookie and javascript, so in theory you can block it with ublock or noscript and the like, but a sure way to block is to not have meta apps installed on your phone (or not signed in).
I don’t have any Meta apps installed. :)
That’s the fun part. They come preinstalled!
some android phones go as far as come with an ununinstallable system app called “meta services” beyond the regular zucc apps.
No WhatsApp?
I’d nail my foot to the floor before I installed WhatsApp.
So you got all your friends, family and coworkers and acquaintances using Signal?
Most of the people I talk to regularly, yes. I also use Discord for less private stuff, less personal contacts, and for video chat when I play D&D. I text with my wife and one friend who I mostly discuss D&D with. Both of them have Signal if I needed to reach out to them privately or while abroad. For the record, I would like to get off Discord but audio and video quality are really important to me and I haven’t found a good replacement yet.
I also have a seperate (company paid) phone for all work communications. There’s ups and downs to that but it definitely contributes to my ability to be restrictive in what apps I put on my phone.
Got me on that one! I forgot about WhatsApp.
For what it’s worth I didn’t have it logged in until last week when I needed to get in touch with someone.
I will need to log out.
EasyPrivacy should block Meta and Yandex pixels by default. If you have the knowledge you can put uBO in “hard mode” which will block all 3p connections. It requires you to know which CDNs to allow or websites will be broken.
I am aware of hardmode, I used to use NoScript.
It’s a bit too much work these days.
Block all tracking scripts and use Firefox Nightly with ublock when possible.
Not sure about the “nightly” part (as opposed to beta or stable), but yes.
I prefer nightly because about:config is accessible unlike on the mainline version. Does Beta also allow that?
Using such a unique browser version is very de-anonymizing.
Could add a user agent spoof?
Even then, most tracking is done through fingerprinting.
Yeah it makes me laugh when people talk about “don’t use cookies” or “block ads” like companies didn’t switch to more advanced techniques (like hell, I saw a paper where they could fingerprint you just simply by how you interact with the webpage) 15 years ago.
There is no way to use the modern web without getting fingerprinted.
Well “block ads” is also shorthand for “block as many 3rd-party requests as possible while maintaining the desired content” which absolutely improves your privacy and prevents a lot of fingerprinting scripts from ever loading.
That’s the thing though, websites have gone away from “fingerprinting scripts” and have started finger printing you by what you serve, how and when you access it, and other things that they can all collect purely on the server side. The rest is just for advertising and data collection for improvements.
All of this is far easier to subvert than tracking scripts (and cookies and port scans) which literally as evidenced by the article in the OP are not techniques that companies have “gone away” from at all, at least not by entirely replacing them.
Phew, glad i dodged that bullet by buying an iphone. (/s)
Its russian, i’ve never used it and never will. Surprised so many 🏴☠️’s advocated for it…
Are you suggesting something like LineageOS is a better choice?
(Seriously asking: I’ve got a new-to-me Pixel that I’m looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)
I’m running Graphene and I’m very happy with it.
