Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.
Useless article, but at least they link the source: https://localmess.github.io/
We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.
📢 UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.
I am assuming all of this trash is blocked by uBlock Origin?
Check that “Filter lists > Privacy > Block outsider intrusion into LAN” is enabled and you should be fine
EasyPrivacy should block Meta and Yandex pixels by default. If you have the knowledge you can put uBO in “hard mode” which will block all 3p connections. It requires you to know which CDNs to allow or websites will be broken.
I am aware of hardmode, I used to use NoScript.
It’s a bit too much work these days.
Does anyone know if there’s additional sandboxing of local ports happening for apps running in Private Space?
E: Checked myself. Can access servers in Private Space from non-Private Space browsers and vice versa. So Facebook installed in Private Space is no bueno. Even if the time to transfer data is limited since Private Space is running for short periods of time, it’s likely enough to pass a token while browsing some sites.
We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.
Aside from having uBlock Origin and not having any Meta/Yandex apps installed, anyone aware of additional Firefox settings that could help shut this nonsense down?
laughs in adguard
De-anonymising Yandex
Me: Ha! Good thing I am not Russian!
De-anonymising Meta
Me: Damn…and it is hard for me to let go because my social circle use Meta-owned social media and couldn’t care less about privacy…I am toast…
Not surprising, it’s always expected from tech corporations, where at the end of the day it’s profit and favor with conservative politicians. If they’re not trying to use information gathered on people to bad government looking to cut costs (“saving taxpayers’ money”) by removing minority beneficiaries, they love to shove content you don’t even want.
Why I never use my real name online.
Are you suggesting something like LineageOS is a better choice?
(Seriously asking: I’ve got a new-to-me Pixel that I’m looking to switch to a degoogled-ish ROM on, and Graphene and Lineage were the two front-runners.)
I’m running Graphene and I’m very happy with it.
