Independent researchers have uncovered a disturbing privacy breach involving Meta and Yandex—two tech giants found exploiting an Android loophole to track users’ web browsing habits, even in Incognito Mode. The tracking method leverages localhost connections, which allow apps to communicate within a device without user consent, bypassing Android’s sandboxing protections designed to isolate apps from one another. By using tracking scripts like Meta Pixel and Yandex Metrica, embedded in millions of websites, these companies link anonymized browsing data to user identities, raising significant privacy concerns. Both Google and Mozilla (makers of Firefox) are now investigating potential violations of their terms of service, as this clandestine tracking undermines user expectations of privacy.
The exploit involves apps like Facebook, Instagram, and Yandex Maps, which silently monitor specific localhost ports to capture web identifiers—such as Meta’s cookie or Yandex’s unique parameters—sent via WebRTC or HTTP requests. These identifiers, tied to sites visited on browsers like Chrome or Firefox, are linked to persistent app-based IDs like the Android Advertising ID, effectively de-anonymizing users. Meta reportedly began using this technique in September 2024, while Yandex has allegedly been using it for over eight years. The issue affects most major browsers, with Brave being a notable exception due to its robust blocklists, and DuckDuckGo partially mitigating the problem after updating its protections.
Yandex has since responded, claiming compliance with data protection standards and stating that the feature was intended for personalization, not sensitive data collection. The company announced it would discontinue the practice. Meta, meanwhile, has paused the feature and is working with Google to address what it calls a “potential miscommunication” regarding Play Store policies. Google has labeled the behavior a violation of its terms, emphasizing that it undermines Android users’ privacy expectations. Researchers warn that uninstalling the offending apps is currently the only surefire way to stop this tracking, as the loophole exploits Android’s permissive localhost communication design.
The discovery has sparked outrage among privacy advocates, with posts on X (formerly Twitter) highlighting the risks of having apps like Facebook installed on Android devices. This incident underscores the growing challenge of safeguarding user data in an era where tracking scripts are ubiquitous—appearing on nearly six million websites for Meta Pixel alone. As browsers and platforms scramble to patch these vulnerabilities, experts call for stricter controls on localhost communications to prevent similar abuses in the future, urging users to remain vigilant about the apps they install and the websites they visit.
