Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.
This is the process through which Meta (Facebook/Instagram) managed to link what you do in your browser (for example, visiting a news site or an online store) with your real identity (your Facebook or Instagram account), even if you never logged into your account through the browser or anything like that.
Meta accomplishes this through two invisible channels that exchange information:
(i) The Facebook or Instagram app running in the background on your phone, even when you’re not using it.
(ii) Meta’s tracking scripts (the now-pulled illegal brainchild uncovered last week), which operate inside your mobile web browser.
I did a ‘download all your data’ on Facebook a while back and there wasn’t anything about my tracked browser history. Does this mean they’ve also violated the “users should be able to see the data you have on them” article of the GDPR as well?
I’m guessing they’re trying to hide behind weasel shit about the ids being anonymized or something as though it wasn’t trivially easy for them to deanonymize…
I can’t remember which one of my phones, probably a Samsung that had Facebook installed and couldn’t get rid of it. People were like, you can just not open it or something. There’s a good reason I don’t want it on my device.
yup. some samsungs also have a hidden “meta services” app thats not uninstallable too.
I had one of theirs like that. You could disable it instead of uninstall, and this wouldn’t happen, but you couldn’t uninstall it.
The real fun started with Android 12. Google introduced the ability for some preloaded apps to avoid being disabled and prevent ADB shell disable.
Meta is cancer for any platform.
I feel my mobile becomes dirty once I download any of that shit.
Same Unfortunately, I use Marketplace for some things and Meta made it damn near impossible to use a browser for posting marketplace listings and responding to DM’s
I live in a slightly less developed country where as far as 90% of the population are concerned, Facebook is the internet.
I hate it with a passion, but if I don’t have a login then there’s no way for me to find details of pretty much any business or event in the city.
Craiglist and eBay still exists
Yes, but Facebook has more people so the items I’m selling typically get picked up pretty fast.
This is the problem with the network effect, everybody using marketplace is saying the same thing. I’m not trying to shame you in particular for this or anything but I think it’s important to consider that at some point if we don’t just make the move off anyway, nobody ever will
That’s a ridiculous assertion. More items that EBay? Where’d you get that idea?
People are generally closer physically in Facebook marketplace compared to the global eBay market.
This is a big factor for me. Attracting local people means that I can meet up in person and not have to spend additional money for shipping ,or worry that the item arrived damaged or is lost during transit.
Can they do this on iPhone
Also they can only do this if you got fb installed right? Cause I uninstalled insta a while ago
Any meta service no just FB
I’m asking if they can still do this if u uninstalled the app on iPhone, the post talks abt android
Who says any of my
stalkingOSInt accounts is my real identity?Edit: /s ofc. Who would use those crappy apps on phone anyway.
I block Meta via NextDNS, living that Zuck free life is good.
Since January Google has been using browser fingerprinting and IP triangulation to track across incognito windows.
Meta wants in the game as well. Nothing done on a phone with Meta apps is done in isolation.
Edit: seems like only vanilla mobile browsers affected. Brave was not vulnerable, DDG minimally so, and I expect Iron/Waterfox with uBlock would also not have allowed tracking.
https://securityonline.info/androids-secret-tracking-meta-yandex-abused-localhost-for-user-data/
What is IP triangulation?
Let’s say you use a VPN, and all your internet traffic comes from an IP in London. 178.238.10.1.
It doesn’t matter if you have a VPN, if you log in to anything with any account tied to your real name (yourname@gmail.com), your email and anything done on that London IP are all linked. Google builds a profile on you based on the activity on that IP. AND your browser profile. Private/incognito window or not, if there’s a Google tracker on the site, they connect it all. Google doesn’t care about private windows. If you go to reddit in a private window on the same IP as your gmail, Google sees that and tracks every page you look at.
So let’s say that you log into your email from work. Google now has a treasure trove of new info about you and people you know. Same for FB, who uses the fact that you and someone else were logged on from the same IP range to suggest new friends.
Let’s pretend that you live in China and still have access to a VPN and want to learn about the Tienanmen Square Massacre. But the government can ask Google about you. What do you need?
- an IP never ever used with an account associated with an account with your real name.
- a no-log VPN that won’t tattle on you if asked what sites did you access on a specific date.
- a browser fingerprint never ever associated with an account tied to your real name.
Or you could just not use their toxic bullshit. I haven’t logged into Facebook in like 6 years.
Yeah, but they’ll still create a shadow profile on you and track your data anyway. Have a friend with an account? Your name and phone number is known to them. Even without a true identity attached, they will track you from your own devices, and then correlate that with everything else they can at every opportunity.
Also, Facebook is preinstalled as a system app (cannot be uninstalled without adb) on various manufacturer’s and carrier’s android builds.
friend
Lmao, y’all have friends? 🤣💀
IIRC Facebook was not installed by default on my Samsung A32, and there is no trace of it now so I don’t think I removed it. shrug Otherwise, use privacy features in your browser/on your device
Be brave, do it. I just did it a few months ago. Just push the trigger and delete it. Let it go. They will of course keep the data, but at least not legally anymore.
I haven’t deleted it because there are a couple of people I might theoretically need to get in touch with at some point that I don’t have contact with otherwise.
Fair enough.
I held on to this possibility for similar reasons for years, but after some honest self reflection I cannot say there would be anyone from my past life who is still important and I have no other means to contact, my Facebook bubble from 10 years ago and more is long dead, i.e. similarly inactive.
Maybe giving people an email address, phone number or username somewhere else via Facebook message before leaving for good could also be a solution.
You can still use a browser for that occasion. Meanwhile the app is doing things in the background.
I haven’t had the app installed since I got my phone. I don’t believe it was installed by default, or if it was I removed it immediately.
Yeah, but I saw it this time. And thus, got to learn.
So iOS was safe?
Yes
Score one for the “walled garden”
So would using Firefox and group containers protect against this?
Nah, the script connects to a server run by the Instagram or Facebook app and feeds it info, bypassing isolation mechanisms entirely. I think ublock or other script-blocking add-ons might work though.
I think ublock or other script-blocking add-ons might work though.
presumably it would block entire thing at the loading of the pixel script. talking out of my ass
A robot told me: The Meta/Yandex exploit worked by having JavaScript running on a website (such as Meta Pixel) connect from the browser to a native app on the same device via the localhost (127.0.0.1) interface, using HTTP, WebSocket, or WebRTC. This communication occurs entirely within the device and does not traverse the network in a way that browser extensions like uBlock Origin can intercept or block. Browser extensions generally cannot block or even see requests made to localhost sockets, especially when those requests are initiated by scripts running in the browser and targeting native apps on the same device
Yeah but if the script which initiates the connection to the local server is blocked there’s no connection to intercept in the first place.
It says Firefox was also affected. They just mention Brave as not being affected
