Technology

Meta and Yandex Exposed: Android Users' Browsing History Unmasked!

2025-06-03

Author: Olivia

Revealing the Shocking Truth of Online Privacy

In a dramatic turn of events, researchers have uncovered that tech giants Meta and Yandex are exploiting loopholes in internet protocols to de-anonymize Android users. This clandestine operation involves embedding tracking codes into millions of websites, forcing browsers like Chrome to unknowingly transmit unique identifiers to native apps on users' devices.

The Deceptive Tracking Technique

Utilizing tools such as Meta Pixel and Yandex Metrica, both companies have discovered a way to bypass critical security measures designed within the Android operating system. These measures typically isolate processes to safeguard sensitive data, yet the new tracking method deftly breaks these boundaries, connecting the dots between web browsing and app activity.

"What this allows is a breach of the sandbox protection that is vital for online security," explains Narseo Vallina-Rodriguez, a researcher involved in the discovery. This tactic facilitates a direct communication line between the browsing and app contexts, leading to an alarming breach of user privacy.

From Browsing to Identification: The Unseen Connection

The covert tactics, initiated by Yandex in 2017 and adopted by Meta in 2022, empower both organizations to link user identities across various platforms. By using cookies and other identifiers from browsers like Firefox and Chromium, they can establish a detailed profile of users, even when they believe they are browsing privately.

As if that weren't enough, it appears these tracking methods are solely targeting Android systems, although vulnerabilities in iOS could potentially allow similar breaches.

The Browser Battle: Who’s Protecting Your Privacy?

This troubling discovery has not gone unnoticed by Google, which has vowed to investigate the misuse of their platform. A spokesperson acknowledged that such activities violate the privacy expectations of Android users, asserting their commitment to tackle these invasive practices.

Meta has chosen to remain tight-lipped on the issue but has paused certain features while engaging in discussions with Google to clarify policies surrounding these practices. Meanwhile, Yandex has not provided any comment.

The Technical Intricacies of the Breach

Both Meta Pixel and Yandex Metrica exploit basic browser functionalities that allow communication between browsers and native apps. This manipulation enables browsers to unwittingly send data to specific local ports that these apps monitor.

The research has demonstrated how Meta Pixel utilizes WebRTC and a complex technique known as SDP munging to relay user identifiers seamlessly to its apps, effectively keeping the surveillance invisible.

Fighting Back: What Browsers Are Doing

In response to these alarming tactics, some browsers are stepping up their game. For instance, DuckDuckGo and Brave have initiated robust blocklists to block the intrusive scripts linked to these trackers, while others are already rolling out features to curb identifier sharing.

Despite these advances, experts caution that current fixes could be temporary. As Vallina-Rodriguez notes, the tech world is constantly evolving, and what works today may be bypassed tomorrow.

The Call for Comprehensive Solutions

Researchers advocate for a thorough overhaul of how Android manages access to local ports as the ideal solution. Enhancing transparency and control for users regarding these communications could promise a better future for online privacy.

The quest for user privacy continues, but with powerful entities like Meta and Yandex pushing the boundaries, the fight is far from over.