The Shocking Truth Behind Meta and Yandex's Localhost Tracking

In a startling revelation, security researchers have uncovered that Meta and Yandex exploited native Android apps to tap into localhost ports, essentially linking user browsing data to personal identities. This method allowed them to evade conventional privacy safeguards, raising immediate concerns.

A Quick Response from Meta

After this troubling disclosure, Meta swiftly modified its Pixel script, ceasing the transmission of data to localhost and largely eliminating the tracking code. This move appears to be a strategic effort to comply with Google Play's stringent policies that ban covert data collection within apps.

A Meta spokesperson remarked, "We are in discussions with Google about possible misunderstandings regarding the application of their policies. We chose to pause the feature while we seek clarity on the issue." However, they declined to provide further details on the specifics of their communications with Google.

What the Researchers Discovered

A recent report highlights a collaboration among researchers from IMDEA Networks in Spain, Radboud University in the Netherlands, and KU Leuven in Belgium. They detailed how both Meta and Yandex used native apps like Facebook, Instagram, and Yandex's own services to harvest web cookie data via localhost.

Localhost, a self-referential loopback address, typically lets developers test server-based applications locally. However, these researchers found that by quietly listening on fixed local ports, the apps could gather sensitive data such as metadata and cookies from browsers.

Privacy Under Threat: How They Did It

The researchers revealed that by tapping into the localhost, Meta and Yandex managed to bypass typical privacy measures. They were able to link browsing sessions and cookies to individual user identities, effectively undermining users' expectations of anonymity in web browsing.

For example, when a user simultaneously opens Facebook or Instagram while visiting a website with the Meta Pixel, the app listens for incoming data—allowing the Meta Pixel scripts to funnel tracking information directly to it.

A Closer Look at the Eavesdropping Technique

The tracking mechanism involves various protocols. Meta uses a method called SDP munging to modify data packets before sending them to the browser, which makes it almost impossible for standard security measures to detect.

Researchers have tracked the implementation of this scheme back to September 2024, when data began to be transmitted. Despite an apparent halt to the practice as of June 2025, Yandex's tracking methods have been in place since 2017.

Steps Taken to Address the Issue

In response to these findings, Android browser vendors have implemented fixes. Chrome recently rolled out updates to block the SDP munging technique used by Meta, and Mozilla is developing its own solution. Meanwhile, browsers like Brave and DuckDuckGo have fortified their defenses against such vulnerabilities.

This situation underscores the ongoing battle for user privacy in an increasingly data-driven world, leaving many to wonder what the future holds for personal data security.