Meta and Yandex Have Both Been De-Anonymizing Android Users’ Ostensibly Sandboxed Private Web Browsing Identifiers

A team of researchers has uncovered a scheme they’ve dubbed “Local Mess” — used by Meta since September 2024, and Russian search engine Yandex since 2017 (!) — to de-anonymize Android users’ web browsing across millions of websites that include Meta’s and Yandex’s respective tracking scripts. From their extensively detailed report:

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity. [...]

The entire flow of the _fbp cookie from web to native and the server is as follows:

  1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.
  2. The user opens their browser and visits a website integrating the Meta Pixel.
  3. At this stage, websites may ask for consent depending on the website’s and visitor’s locations.
  4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
  5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
  6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users’ fbp ID (web visit) with their Facebook or Instagram account.

The same day the researchers published this report, Meta stopped doing it.

I’ve said it before but not in a while: Meta is a criminal enterprise. What they’ve done here may not have broken any laws, but there certainly should be laws against it. And in terms of simple common sense, the entire elaborate scheme only exists to circumvent features in Android meant to prevent native apps from tracking you while you use your web browser. Saying it’s not illegal doesn’t mean it isn’t theft. It’s like the privacy equivalent of Trump’s cryptocurrency grift, which might not violate any current laws, but clearly exists as a bribery scheme.

Wednesday, 4 June 2025