Meta and Yandex have been caught engaging in hidden tracking of users and manipulations to bypass browser privacy settings, such as the Incognito mode and cookie cleaning. The deanonymization of sessions was carried out on the Android platform when accessing sites using Yandex Metric Web-Analytics or Facebook Pixel.
The method of identification involved the META and Yandex mobile applications on Android, such as Facebook, Instagram, Yandex Maps, Yandex Navigator, Yandex Search, and Yandex Browser, establishing a separate communication channel through a JavaScript code in the browser. These applications opened connections on the local network interface (127.0.0.1), utilizing HTTP, HTTPS, WebSocket, and WebRTC protocols.
When visiting a site with Yandex Metric or Facebook Pixel, the JavaScript code sent requests to network ports opened by the mobile applications, transmitting metadata, cookies, and control commands. The browser sessions in the mobile applications were linked to real user identities and devices, such as Facebook and Yandex accounts or Android Advertising ID (AAID), enabling accurate user identification even in Incognito mode or after cookie deletion.
This technique posed a risk not just in terms of data leakage to Facebook and Yandex but also the potential for malicious applications to exploit the information sent through network ports to track user activity and browsing history. Facebook and Yandex leveraged the Android platform’s lack of restrictions on creating listening sockets bound to the Loopback interface (127.0.0.1) if the application has internet access permissions. Facebook, for instance, transmitted cookie contents to the local application “_fbp” (Unique user identifier on Facebook Pixel) and manipulated WebRTC to configure data.