Security researchers have raised concerns regarding the practices of Meta and Yandex, revealing that both companies utilized native Android applications to tap into localhost ports. This method enabled them to associate web browsing data with user identities, effectively circumventing standard privacy protections.
In response to these findings, researchers noted a significant shift in Meta’s approach. The Meta Pixel script ceased its data transmission to localhost, and much of the tracking code was removed. This adjustment may serve to shield Meta from potential scrutiny under Google Play policies, which explicitly prohibit covert data collection within applications.
A spokesperson for Meta stated, “We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.” However, further details regarding these discussions were not provided.
What the researchers found
A report released recently by computer scientists from IMDEA Networks in Spain, Radboud University in the Netherlands, and KU Leuven in Belgium detailed how Meta and Yandex were observed leveraging native Android applications to collect web cookie data through the device’s loopback interface, commonly referred to as localhost. This loopback address allows devices to make network requests to themselves, often used by developers to test server-based applications.
The researchers—Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens—discovered that native Android applications, including Facebook, Instagram, and Yandex’s Maps and Browser, were silently listening on fixed local ports for tracking purposes. They explained, “These native Android apps receive browsers’ metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets.”
By exploiting this access, Meta and Yandex could link mobile browsing sessions and web cookies to user identities, effectively bypassing common privacy measures such as cookie clearing, Incognito Mode, and Android’s app permission system. The researchers emphasized that this technique undermines the fundamental assumptions surrounding first-party cookies, which are not intended to track browsing activity across different websites. They stated, “The method we disclose allows the linking of the different _fbp cookies to the same user, which bypasses existing protections and runs counter to user expectations.”
In Meta’s case, the tracking process involves scripts associated with the Meta Pixel, which is utilized by marketers to gather data about user interactions with websites. Various APIs and protocols facilitate this app-web eavesdropping scheme, including SDP munging, WebSocket, WebRTC, STUN, and TURN.
- The user opens the native Facebook or Instagram app, which eventually runs in the background, creating a service to listen for incoming traffic on specific TCP and UDP ports.
- The user then opens their browser and visits a website that integrates the Meta Pixel.
- Websites may request user consent depending on their location.
- The Meta Pixel script transmits the _fbp cookie to the native app via WebRTC (STUN) SDP Munging.
- The script also sends the _fbp value along with other parameters to Facebook’s servers.
- The apps receive the _fbp cookie and transmit it as a GraphQL mutation, linking the user’s web visit with their Facebook or Instagram account.
Researchers noted that Meta began implementing this technique in September 2024, initially transmitting data via HTTP. Although this HTTP-based transmission reportedly ceased the following month, other methods, including WebSocket and WebRTC, were identified in subsequent months. Currently, however, it appears that Meta has halted these practices. As of June 3rd, the Meta/Facebook Pixel script was no longer sending any packets or requests to localhost, with the code responsible for transmitting the _fbp cookie nearly entirely removed.
Yandex’s use of localhost-based tracking reportedly dates back to 2017. While inquiries to Yandex regarding these claims were not answered, the researchers noted that their disclosure to Android browser vendors has prompted several mitigations. For instance, Chrome 137, released on May 26, 2025, includes countermeasures to block the SDP Munging technique employed by Meta Pixel, although these measures are currently available only to a select group of users. A fix for Mozilla Firefox is in development, while Brave has remained unaffected due to its consent requirements for localhost usage. DuckDuckGo has also updated its blocklist to prevent Yandex’s scripts from functioning.
Looking ahead, the authors propose a new “local network access” permission that could help mitigate localhost-based tracking in the future, although a previous proposal of this nature encountered technical challenges.
