https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/

#tracking code #Meta and Russian #Yandex embed into millions of websites is #deanonymizing #android users by abusing legitimate #Internetprotocols, causing #Chrome and other browsers to surreptitiously send #uniqueidentifiers to #nativeapps installed on their devices…#Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

A few counterarguments on #LocalMess (#Facebook #Instagram #Yandex #LocalhostTracking), why this would make #Android worse than #iOS:

This vuln seems to only have existed on Android, but not everyone would need to be affected by it.

I see #GrapheneOS as a perfected form of the Android idea (stripping the #Advertizing and Tracking from it, and adding needed permissions).

1/8

Disclosure: Covert Web-to-App Tracking via Localhost on Android

#android #tracking #security #infosecurity #MetaFacebook #yandex

We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed. Yandex has also stopped the practice we describe below.

https://localmess.github.io/

Color me surprised: #Meta and #Yandex abusing #Android for their own gain.

https://localmess.github.io/

研究者发现 Yandex 和 Meta 向手机 App 后门发送 Web 端用户追踪信息。

- 安装了 Meta/Yandex 应用的设备会监听特定手机端口，而 Meta/Yandex 的网页端会尝试向此端口发送网页端用户 cookie 等内容，从而实现浏览器及 App 的身份关联。
- Yandex 被发现最早在 2017 年实行此行为，Meta 则是 2024 年。目前两家企业均已终止此追踪行为。
- 除 Brave 浏览器外，包括 Chrome、Edge、Firefox 等主流浏览器均未完全阻止此行为发生。Local Network Access 草案或会在将来完全杜绝此问题。

- arstechnica.com/~
- https://localmess.github.io/

linksrc: blog.gslin.org/~

#Privacy #Meta #Yandex

Telegram 原文

Millionen Android-Nutzer möglicherweise jahrelang überwacht. Sicherheitsforscher haben aufgedeckt, dass #Meta und der russische Konzern #Yandex gemeinsam Nutzer deanonymisierten

https://m.winfuture.de/news/151377

#Meta #Facebook and #Yandex are always looking for new ways to spy on you and track you. #LocalMess is the latest in a long line of abusive methods to gather your private data. Having their mobile app installed gives them super powers. Uninstall it. If you must use these services, do not use their app, keep it in the browser, or even better, use a wrapper app, like

* https://f-droid.org/packages/it.rignanese.leo.slimfacebook/
* https://f-droid.org/packages/us.spotco.maps/

Here is a nice technical write up:
https://localmess.github.io/

Härski vakoilu paljastui: Facebook salakuunteli millä sivuilla käyttäjät käyvät Chromen incognito-tilassa

Sekä Meta että Yandex ovat seuranneet salaa käyttäjiensä aktiviteetteja, myös ulkopuolisten selainten yksityisissä tiloissa. Tiedot on saatu yhdistettyä käyttäjän oman käyttäjäprofiilin tietoihin väärinkäyttämällä yleisiä verkkostandardeja.

https://dawn.fi/uutiset/2025/06/09/meta-yandex-yksityisen-selailun-vakoilu

#meta #yandex #privacy

https://www.inforisktoday.com/researchers-meta-yandex-broke-android-privacy-a-28578

Washington Post's #Privacy Tip: Stop Using #Chrome , Delete #Meta 's Apps (and #Yandex ) - Slashdot
#facebook #instagram #tracking

https://tech.slashdot.org/story/25/06/07/035249/washington-posts-privacy-tip-stop-using-chrome-delete-metas-apps-and-yandex?utm_source=rss1.0mainlinkanon&utm_medium=feed

"We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity."

https://localmess.github.io/

#Mozilla has patched mobile #Firefox to mitigate the #privacy issue outlined in my other post where apps from #Meta and #Yandex would listen on localhost for connections initiated by mobile browsers when they ran code on certain websites. Wonder what they changed to fix it.

Fiese Schnüffelei: Meta und #Yandex spionierten Nutzer ihrer #Android -Apps aus | Security https://www.heise.de/news/Fiese-Schnueffelei-Meta-und-Yandex-spionierten-Nutzer-ihrer-Android-Apps-aus-10425177.html #MetaPlatforms #Facebook #Datenschutz #privacy #SocialMedia

Most Popular Search Engines in the World and How AI Is Transforming the Search Experience #technews24h #tech #search #AI #seo #google #yahoo #baidu #yandex #bing #ArtificialInteligence https://www.technews24h.com/2025/06/most-popular-search-engines-in-world.html

#Meta et #Yandex désanonymisent les identifiants de navigation #Web des utilisateurs #Android
#Abuse permet à Meta et Yandex d'attacher des identifiants persistants aux historiques de navigation détaillés.

#DonnéesPersonnelles #Confidentialité #CyberSécurité #Tracking #Internet

https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/

#Meta caught breaking #Android's #sandbox by monitoring #webbrowsing through its #apps

"A Google representative told Ars Technica that 'the behavior violates the terms of service" for the #GooglePlay marketplace'".

OK, delete them right now from the #PlayStore then!

https://www.ghacks.net/2025/06/05/meta-caught-breaking-androids-sandbox-by-monitoring-web-browsing-through-its-apps/?utm_source=mas.to&utm_medium=social&utm_campaign=&utm_term=&utm_content=&utm_referrer=https%3A%2F%2Fmas.to%2F%40KNTRO&utm_id=&utm_creative=&utm_channel=mastodon_organic&utm_platform=desktop&utm_location=argentina&utm_language=es-ar&utm_variant=

#Meta and #Yandex are de-anonymizing #Android users’ #webbrowsing identifiers

https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/

Meta und Yandex stehen im Rampenlicht wegen einer gravierenden Datenschutzverletzung.

Zum Artikel: https://www.heise.de/news/Fiese-Schnueffelei-Meta-und-Yandex-spionierten-Nutzer-ihrer-Android-Apps-aus-10425177.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon