Ddos 
Image: The researchers
A new disclosure by researchers from IMDEA Networks, Radboud University, and KU Leuven has revealed a novel cross-context tracking technique that affects billions of Android users worldwide. The method—used by Meta (Facebook, Instagram) and Yandex (Maps, Browser, Navigator)—silently links web activity to native app identifiers, even in Incognito Mode and without user consent.
At the main of the discovery is the abuse of localhost sockets—a mechanism intended for internal app communication. Android allows any app with INTERNET permissions to open a loopback interface (127.0.0.1), which is then accessible from the mobile browser, effectively bypassing app sandboxing and privacy protections.
“This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls,” the report states.
Meta’s tracking pipeline leverages the Meta Pixel JavaScript, which is embedded on over 5.8 million websites. When a user visits a site:
- The Pixel script reads the first-party _fbp cookie.
- It sends the cookie to native Facebook or Instagram apps via WebRTC using SDP munging over ports 12580–12585.
- The native app then links this ID to the user’s Facebook account and sends it to Meta’s servers.
“The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging,” the report explains. This de-anonymizes web sessions, and users are affected even when logged out, using Incognito Mode, or after clearing cookies.
Yandex’s Metrica script, embedded on over 3 million websites, sends data to fixed local ports (e.g., 29009, 30103). Yandex apps listen on these ports and respond with encrypted payloads including device identifiers like the Android Advertising ID (AAID).
“Our analysis indicates that the domain yandexmetrica[.]com is resolving to the loopback address 127.0.0.1…obfuscating the data exfiltration process.”
The result? A bridge between anonymous web visits and persistent device identifiers—without the user ever being informed.
This localhost-based tracking runs without user interaction or informed consent, and researchers demonstrated that a malicious third-party app could exploit the same ports to harvest browsing history.
“Browsers such as Chrome, Firefox and Edge are susceptible… Brave browser was unaffected… DuckDuckGo was only minimally affected.”
Crawling the top 100,000 websites revealed that:
- Meta Pixel initiated localhost communications on ~78% of sites even without consent
- Yandex Metrica did the same on ~84% of sites
After the researchers disclosed the issue:
- Meta removed the localhost-tracking code as of June 3, 2025.
- Similarly, Yandex has also stopped the practice described in this report.
- Google Chrome v137 and Firefox v139 introduced countermeasures to block the abused ports and disable SDP munging.
Still, no documentation or prior disclosure from Meta or Yandex exists about these tracking techniques. On developer forums, complaints about Pixel accessing localhost were left unanswered.
This research exposes a powerful cross-context tracking method that undermines Android’s privacy model and standard web tracking defenses.
As the authors warn:
“These trackers perform this practice without user awareness, as current privacy controls… are insufficient to control and mitigate it.”
Browser vendors and mobile platforms must adopt stronger, user-facing alerts for localhost access, stricter port access policies, and enforce transparent documentation for third-party SDK behaviors.
Donate