Between 2017 and June 2025, researchers uncovered that Meta (formerly Facebook) and Yandex exploited a privacy loophole on Android devices by using their native mobile apps to silently listen on localhost ports, an internal loopback address used for local network communications.
What happened
According to a report published on June 3, 2025, by computer scientists Aniketh Girish, Gunes Acar, Narseo Vallina-Rodriguez, Nipuna Weerasekara, and Tim Vlummens from IMDEA Networks, Radboud University, and KU Leuven, the companies embedded JavaScript tracking scripts, Meta Pixel and Yandex Metrica, into thousands of websites.
These scripts transmitted browser cookies and metadata through protocols like WebRTC using techniques such as SDP munging to the companies' native Android apps, which were quietly listening on TCP and UDP ports. Meta’s apps, including Facebook and Instagram, then linked the data to specific user identities by leveraging Android device identifiers and account credentials. Researchers traced Meta’s deployment of this technique to September 2024, with HTTP-based transmission ceasing in October 2024.
After the researchers publicly disclosed their findings, Meta halted the tracking mechanism on June 3, 2025, and removed most of the associated code. In response, Chrome 137, released on May 26, 2025, introduced partial countermeasures, while Mozilla and DuckDuckGo worked on updates to block similar behavior.
What was said
The report by Local Mess noted, “According to BuiltWith, a website that tracks web technology adoption, Meta Pixel is embedded on over 5.8 million websites. Yandex Metrica, on the other hand, is present on close to 3 million websites. According to HTTP Archive, an open and public dataset that runs monthly crawls of ~16 million websites, Meta Pixel and Yandex Metrica are present on 2.4 million and 575,448 websites, respectively.”
Why it matters
By using localhost communication between browser scripts and native apps, Meta and Yandex were able to secretly link users’ web activity to their app identities, even when users cleared cookies, used Incognito Mode, or denied tracking permissions—measures people generally believe protect their privacy.
This method undermines the principle of data minimization and consent, core tenets of privacy laws like the GDPR and CCPA, and it reveals how platform policies and technical safeguards can be silently circumvented without user knowledge.
The fact that such tracking began as early as 2017 (in Yandex's case) and continued through 2025 (with Meta) raises serious questions about the effectiveness of current oversight mechanisms, the transparency of large tech companies, and the adequacy of current app store policies and browser architecture in protecting user privacy.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is online tracking?
Online tracking is the practice of collecting data about your activity on websites and apps. This can include the pages you visit, your clicks, the time you spend on a site, your IP address, and other identifiers. Companies use this data to show targeted ads, analyze behavior, or build user profiles.
What are cookies and how do they track me?
Cookies are small text files that websites store on your browser. They can remember your login status, preferences, or activity. Some cookies, like third-party cookies, can track you across multiple websites to build a record of your browsing habits.
What is the difference between first-party and third-party cookies?
First-party cookies come from the website you're visiting directly and usually support basic functionality like staying logged in. Third-party cookies come from outside companies (like advertisers) embedded on the website and are mostly used for tracking and ad targeting.
Kirsten Peremore
