Covert web-to-app tracking via localhost on Android
328 comments
·June 3, 2025merek
This is the overall process used by Meta as I understand it, taken from https://localmess.github.io/:
1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
consumer451
> something-embarassing.com,
Depending on the country that you or your family lives in, this could be far worse than embarrassment.
refulgentis
Thank you! This was a powerful reminder of how important it is to be careful with our words and cover all possibilities when commenting, and additionally, holding ourselves to account for our reading. I was a bit stunned at how I just sort of...flitted through? browsed? skimmed?...well, let's put it plainly: irresponsibly claimed to myself to have read and understood this. Meanwhile, I had completely neglected to notice this goes far beyond embarrassment. It's quite damning that I entirely missed that the consequences of someone knowing someones entire browsing history aren't just mere "embarrassment": first, there are plenty of contexts where it could even lead to state activity and my eventual imprisonment. We can even show that some countries punish the family still in a given country for the perceived "sins" (shorthand, i mean violating laws / actions against power, apologies for sloppiness here) of an individual outside the country. I shold have at least thought to acknowledge that it could go beyond embarrassment - your framing may even be too polite, to readers like me, who neglected to consider this.
codedokode
So main application for WebRTC is de-anonymisation of users (for example getting their local IP address). Why it is not hidden behind permission I don't understand.
afavour
The main application for WebRTC is peer to peer data transfer.
I think you can make the argument that it should be behind a permission prompt these days but it's difficult. What would the permission prompt actually say, in easy to understand layman's terms? "This web site would like to transfer data from your computer to another computer in a way that could potentially identify you"? How many users are going to be able to make an informed choice after reading that?
deepsun
Let it show "Use WebRTC?".
If users don't understand, they click whatever. If the website really needs it to operate, it will explain why before requesting, just like apps do now.
Always aim for a little more knowledgeable users than you think they are.
bayindirh
When enrolling Yubikeys and similar devices, Firefox sometimes warns "This website requires extra information about your security device which might affect your privacy. Do you want to give this information? Refusing might cause the process to fail."
You can use a similar language for WebRTC.
account42
TFA list tens of thousands of websites using WebRTC for deanonymization. How many websites using it for P2P data transfer can you list?
n_plus_1_acc
What about "This website would like to connect to the Instagram App and may share your browsing history and other personal details."
mindslight
Browser functionality needs a hard segmentation into disparate categories like "pages" and "apps". For example, Pages that you're merely intending to view don't need WebRTC (or really any sort of network access beyond the originating site, and even this is questionable). And you'd only give something App functionality if it was from a trustable source and the intent was to use it as general software. This would go a long way to solving the other fingerprinting security vulnerabilities, because Pages don't need to be using functionality like Canvas, USB, etc.
codedokode
The website wants to connect to another computer|another app on your computer.
Most users probably will click "No" and this is a good choice.
hulitu
> The main application for WebRTC is peer to peer data transfer.
But not for the user.
miloignis
The existing killer app for WebRTC is video chat without installing an app, which is huge.
Other P2P uses are very cool and interesting as well - abusing it for fingerprinting is just that, abusing a user-positive feature and twisting it for identification, just like a million other browser features.
account42
You mean just like a million other "user-positive" browser features pushed by the biggest tracking company there is.
dominicrose
Because the decision makers don't care about privacy, they only want you to think that you have privacy, thus enabling even more spying. One solution is to not use the apps and websites from companies that are known to abuse WebRTC or something else.
NoahZuniga
This is not unique to WebRTC. The same result could be achieved by sending a http request to localhost. The only difference in this case is that using WebRTC doesn't log a http request
codedokode
The browser could refuse to connect to localhost. I think there are browsers that refuse (i.e. to prevent attacking a router config interface).
nuker
> 1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
I happened to be immune, I disabled Background App Refresh in iOS settings. All app notifications still work, except WhatsApp :(
https://forums.macrumors.com/threads/any-reason-to-use-backg...
tonyhart7
> except whatsapp
> company checks out
fluidcruft
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
threecheese
Yes? The cookie in question is First Party, which means you’ve consented to permitting only that party to track you using it, and not permitting its use for wider behavioral tracking across websites.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
threecheese
Not only did you only consent to the one party using it, but the browser has robust protections in place to ensure that these cookies are only usable by that party. This “hack” gets around the restriction completely, leveraging a local service to aggregate all the cookies across sites.
danieldk
IANAL, but it's not GDPR-conformant consent in any way. Consent needs to be informed, unambiguous, and freely given to be valid and should be easy to reject. The only way for this to be valid would be a consent form with something like:
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
jeroenhd
That's probably already part of the consent form websites pop up listing 200 different trackers. If you permit data sharing with Facebook/IG/Meta in the consent form, you're consenting to tracking in general, not just cookie-based tracking.
"No" doesn't even need to be selected as a default, as long as you don't use dark patterns. Making the user manually click yes or no is perfectly valid (as long as you don't make "yes" easier than "no", so if you add an "allow all" button there should be an equally prominent "deny all" button).
scott_w
Which, on the face of it, sounds like a violation of the GDPR...
fluidcruft
The intent of these laws is just so obtuse and unclear! And beyond that complying is technically impossible to implement but you could only understand that if you were a rocket scientist PhD computer science wizkid making $$$$k in California which isn't that much in such a high cost of living area donchaknow. /sardonic
gruez
>abusing mandated GDPR cookie notices to secretly track people?
How does that even work? What can GDPR cookie notices can do that the typical tracker can't do?
salawat
The cookie preference pop-up is a cookie. To track your preference, they need a cookie. We legally mandated a cookie. They're using the cookie regardless. But no one will call them on it until a critical mass is reached to get cases in a sufficiently large number of jurisdictions to curtail the behavior.
SideburnsOfDoom
> User logged into FB or IG app. The app runs in background
So a takeaway is to avoid having Facebook or Instagram apps on your phone. I'm happy to continue to not have them.
Any others? e.g. WhatsApp. Sadly, I find this one a necessary communication tool for family and business in certain countries.
3abiton
A reminder that it's possible to use tools like XPL-EX to circumvent those attempts. Also ad blocking via adaway would do the trick here I assume, as it should block Meta Pixel tracking. Overall, awful approach.
voidUpdate
I wish we could just ban advertising and tracking on the internet. I feel like so much crap these days has come out of it, all so that CEOs can afford an extra yacht
nedt
It's already enough to just have plain ads. Like we have them on the streets, at the bus station, newspapers, etc. No tracking needed at all, just give out the message. If you need to target people to it in the context of the place or content you are showing it with. But you don't need to know anything about the user seeing the ad. Targeting by user doesn't work anyway.
gbalduzzi
> Targeting by user doesn't work anyway.
How did you reach this conclusion? The main problem is that it works way better than traditional marketing medium.
It's the reason Google and Facebook are so massive, why would publishers choose to pay them if it doesn't work?
Doxin
> why would publishers choose to pay them if it doesn't work?
Because they believe it works and it's impossible to prove otherwise?
throwanem
By the same logic cigarettes are presumptively beneficial...
porridgeraisin
Depending on the data you collect, targeting by user - unfortunately - works. If the granularity is not one user, it will be a hundred. If not, a thousand, and so on. I've seen apps run ads targeting a total of 5 cohorts(together holding a hundred million users), and I've seen companies run ads targeting 100s of cohorts with the same number of users. They all work better than no targeting at all.
However what you're saying isn't completely wrong. I've also seen user targeting become a self-fulfilling prophecy. What happens is that it's championed by a high level executive as the panacea for improving revenue, implemented, and seen to not work. Now, as we all now, the C*O is Always Correct, so everything else around it is modified until the user-level targeting A/B test shows positive results. Usually this ends up in the product being tortured into an unusable mess.
bandrami
I don't think it has to go that far. I think there's a middle ground here that people would accept: show us ads, but make it a one-way firehose, like TV and billboards. If you need to advertise to pay for the site, put up all the banners you want. But don't try to single me out for a specific one.
If it could pay for network TV there's no reason it can't pay for a website.
(You could still do audience-level tracking, e.g. "Facbebook and NCIS are both for old people, so advertise cruises and geriatric health services on those properties")
Hilift
Reddit has fairly extensive device fingerprinting. And they are selling data for training AI models. It's only a matter of time before there is some premium phone app that monetizes data that otherwise isn't available/for sale.
dan15
The majority of internet users are either unwilling or unable to pay for content, and so far advertising has been the best business model to allow these users to access content without paying. Do you have a better suggestion?
danieldk
They are able, because in the end advertising is also paid by customers. The complications are:
- Paying for services is very visible, whereas the payment for advertising is so indirect that you do not feel like you are paying for it.
- The payments for advertising are not uniformly distributed, people with more disposable income most likely pay more of overall advertising. But subscriptions cannot make distinctions between income.
- People with disposable income are typically the most willing to pay for services. However, they are also the most interesting to advertisers. For this reason, payment in place of ads is often not an option at all, because it is not attractive to websites/services.
I think banning advertising would be good. But I think a first step towards that would be completely banning tracking. That would make advertisements less effective (and consequently less valuable) and would pose services to look for other streams of income. Plus it would solve the privacy issue of advertising.
porridgeraisin
This!
It's a game. When a merchant signs up to an ad platform (or when the platform is in need of volume), they are given good ROI, and the merchant also plays along and treats it as "marketing expenditure". Eventually, the ROI dries up i.e the marketing has saturated and the merchant starts counting it as a cost and passes it onto the customer. I don't know if this is actually done, but it's also trivial for an ad platform to force merchants to continue ads by making them feel it's important: when they reduce their ad volume, just boost the ROI and visibility for their competitors (a competitor can be detected purely by shared ad space no need to do any separate tagging). Heck, this is probably what whatever optimization algorithm they are running will end up suggesting as it's a local minima in feature space.
And yes, instead of banning ads, which would be too wide a legal net to be feasible, banning tracking is better. However, even this is complicated. For example, N websites can have legitimate uses for N browser features. But it turns out any M of the N features can be used to uniquely identify you. Oops. What can you even do about that, legally speaking? Don't say permissions most people I know just click allow on all of them.
_Algernon_
Internet users pay for their services by everything they buy being more expensive due to the producers having to cover the advertising expenses.
rhubarbtree
I think that might be a rhetorical device bequeathed to you by the social media companies.
People of course do pay for things all the time. It’s just the social media folks found a way to make a lot more money than people would otherwise pay, through advertising. And in this situation, through illegal advertising.
The best thing we can all do is refuse to work for Meta. If good engineers did that, there would be no Meta. Problem solved. But it seems many engineers prefer it this way.
FuckButtons
Sure, this entire business model has been cataclysmic for traditional media organizations and news outlets and peoples trust in institutions has plummeted in correlation, so, let’s just fucking scrap it and go back to payed media.
geoffpado
"Traditional media organizations" have been primarily funded by advertising longer than anyone on HN has been alive.
bandrami
I don't pay for network TV but it still gets produced
thevinter
And it is funded by ads, what's your point?
mrguyorama
>The majority of internet users are either unwilling or unable to pay for content
Except for Spotify, News subscriptions, videogame subscriptions, video streaming services, duolingo, donations, gofundmes, piracy services!, clothing and food subscriptions! etc etc
People pay $10 for a new fortnite skin. You really pretending they won't pay for content?
People were willing to pay for stuff on the internet even when you could only do so by calling someone up and reading off your credit card number and just trusting a stranger.
Meanwhile, the norm until cable television for "free" things like news was that you either paid, or you went to the library to read it for free.
Maybe people could visit libraries more again.
udev4096
It's impossible and we all know it. Instead, donate or help with the huge adblock lists that are being maintained by a lot of people
kbenson
A lot of things I would have previously said were impossible have happened in the last half year. If only a few of those things were of the impossibly good type.
voidUpdate
As said in a reply to a sibling comment, I am very aware. This is wishful thinking
crowcroft
The question is how do you ban it, and then how do you prove that people are breaking those rules?
numpad0
By defining the $thing, banning the $thing per definition by law, and then tasking FBI-like organization enforce the law? It won't completely go away but it will subside, like how gambling on Internet is divided binary and confined into lootbox games without cashing features and straight up scam underground casinos.
Personally I think we should start from separating good old ads(that existed before I was 15) and Internet "ads". The old ads were still somewhat heavily targeted, but less than it is now. There probably would be an agreeable line up to which level advertisement efforts can be perverted.
crowcroft
I mean the comparison of ‘old’ ads vs new ads is interesting in itself, old ads already abide by far more regulation and are far more auditable. Simply bringing digital ads in line would be a big step forward.
Some examples:
In most countries it’s illegal to ‘target minors’ and there’s restrictions on what ads can run on after school hours. Meta has always allowed age targeting down to 13 and has no time of day restrictions.
In parts of New Zealand you can’t advertise alcohol between 10PM and 9AM… unless you do it on Meta or Google.
Most countries have regulation about promoting casinos (or the inability to) unless they’re digital casinos being promoted in digital ads.
Or just look at the deepfake finance and crypto ads that run on Meta and X. Meta requires 24 strikes against an advertiser before they pull them down, if a TV network ran just one ad like that it would be a scandal.
Audit-ability is the biggest issue imo. If a TV ad runs we can all see it at the same time and know it ran. That is simply impossible with digital ads, and even when Meta releases some tools for auditing the caveat is that you still have to trust what they’re releasing. Similarly with data protection there’s no way to truly audit what they’re doing unless you install government agencies in the companies to provide oversight, and I don’t see how you could really make that work.
the_sleaze_
Yes - although I disagree on one point.
All we need to do is define the $thing and mandate that lawsuits can be effective.
No agency enforces that potato chips need to fill up 92% of the bag or whatever, or that McDonalds cannot show pictures of apple fritters with more apples than they actually come with (this happened).
You just incentivize a cottage industry of legal that can squeeze a profit out of suing peanut butter companies for labelling incorrectly, or advertising dishonestly and it sort of takes care of itself.
lucianbr
I think the main problem is lots of money are made from it, and money influences politics hugely. The technical difficulties are low on the list of reasons this is not happening.
voidUpdate
I know. It's wishful thinking that will never become a reality. I pray for a solarpunk future in the same way
fsflover
crowcroft
I like the idea, but where do you draw the line on what advertising is.
Is affiliate marketing still allowed? Are influencers allowed to take payment? Can people be a spokesperson for a company? Can newspapers run commentary about businesses? Can companies pay to be vendors at a conference?
No matter where you end up drawing the line you’re just shifting the problems somewhere else. Look at the amount of money Meta and Google make, the incentive is just too large.
Workaccount2
>all so that CEOs can afford an extra yacht
...and so consumers can use services/products without having to fork over money.
People love the ad-model. Given the option to pay or use the "ad-supported" option, the ad-supported one wins 10 to 1. This means in many cases it doesn't even make sense to have a paid option, because the ad option is just so much more popular.
As bad as crypto is, with all the negative things attached to it, BAT was probably one of the smartest things to be invented. A browser token that automatically dispenses micropayments to websites you visit. Forget all the details to get snagged on, the basic premise is solid: Pay for what you use. You become the customer, not the advertisers.
Also a note about ad-blocking - it only makes the problem worse. It is not a "stick it to the man" protest. You protest things by boycotting them, or paying their competitors, not by using them without compensating them.
account42
There is no such thing as a free lunch. Consumers on average are forking over the money. Otherwise no one would pay for advertising. And they are paying more than they would have otherwise since this dystopian tracking apparatus isn't free either.
SecretDreams
Yes, we need ads for a free internet, today. And, as a result, we also have our privacy eroded - eroded in ways we may not care about today, but will probably regret tomorrow.
If we must pay for the internet, give me an option to pay to use it where I see no ads and my privacy is preserved. Let me know what that cost is and I'll decide what I want to do.
Right now, the actual pricing is obscured so we just "accept" that the internet in its current form is how it needs to be.
charcircuit
>give me an option to pay
This will depress ad revenue as the people with the most money will be the people who pay to remove ads. This will make less sites and content viable.
rkomorn
I really liked the concept of BAT but the reality left me wanting.
Things like "we'll hang on to the tokens of sites that don't use BAT yet for them until they join" gave negative vibes.
It all felt a little underbaked. I swing back to Brave once in a blue moon and then remember I've got at least $20's worth of BAT lost forever somewhere.
Workaccount2
I'm not a big fan of it or anything, it's just the only crypto I know that was targeting that idea.
I'd love if there was another one that was totally open and just a browser extension away. But I do not think it would ever get off the ground because...
People love the ad model and hate paying for things.
pseudocomposer
The deprecation of third-party cookies, that all browsers were at one point on track to implement, was pretty much the most realistic first step to that. Which is why Google killed it last year by leveraging their control over Chrome.
While not technically a crime, it was a disgusting, unethical market manipulation move that never really got the public outrage it deserved.
Google execs’ initial support for it was also telling: leadership at Google must literally thought they would find another way to stay as profitable as they are without third-party cookies. Put another way: Google leadership didn’t understand cookies as well as someone who’s taken a single undergrad web dev class. (Or they were lying all along, and always planned to “renege” on third-party cookie deprecation.)
IggleSniggle
I don't think that's quite what happened. Google got in anti-trust trouble because they have an unfair advantage in user-tracking, given logged in Chrome accounts. Removing third-party cookies hurts other privacy-invading companies without substantially affecting Google. It was still somewhat on track to be removed from Chrome until they lost their antitrust battle, and Chrome was required to be spun off. With Chrome's new future, and Google's new legal constraints, there's less incentive to try and make Privacy Sandbox work. At least, that was my understanding; I didn't follow it all that closely.
SquareWheel
This is very misleading. Google was prevented from disabling third-party cookies due to intervention by the CMA, who felt it would provide an unfair advantage over other advertisers. Google argued their case for years, proposed competing standards to act as a replacement (see Topics API), and eventually gave up on the endeavour altogether and simply made it a user toggle.
turtletontine
Google gets no competitive advantage from removing third party cookies from chrome. The anticompetitive monopolistic tactic was the plan to replace third party cookies with FLoC/Privacy Sandbox/Topics AI, and THAT is what they were not prevented from doing.
No one is trying to stop google from removing third party cookies. Google is just unwilling to remove them without introducing a new anticompetitive tracking tool to replace them.
skybrian
Most commenters on Hacker News hated Google’s plan and hoped it would fail. Were they wrong?
It seems like damned-if-you-do, damned-if-you-don’t.
threecheese
That stemmed from “dammit Google now every SaaS developer has to work nights to meet your arbitrary deadline”; here we’re caring more about the impact as consumers. It’s ok to think about things in two ways.
source: a developer who actually did have to do this (and did it, and now didn’t have to, but it’s done)
crawsome
Insidiously calling it "Privacy sandbox", and now setting everything opt-in every time I login to Chrome is really not Googly.
orbital-decay
Actual report: https://localmess.github.io/
>Google says it's investigating the abuse
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
n2h4
if it were a small company, it'd have been dilisted from google's play store in an instant.
kriro
The EU should set some record breaking fines for this.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
like_any_other
There should also be fines, but individuals have gone to jail for less.
SchemaLoad
I agree they should. But I don't think the EU has any real ability to send American tech execs to jail. At most they can stop them doing business in the EU.
impossiblefork
I think mutual criminality is satisfied, so extradition is definitely possible.
Hilift
Meta makes $70 billion net per year, after fines.
bnpxft
Another reason not to install big tech's apps and only use their websites if you must.
Not only our their websites painful which discourages use, websites are more sandboxed.
danieldk
I am not sure which Meta apps open ports, but e.g. Samsung phones come with a bunch of Meta apps pre-shipped. IIRC just removing the Facebook app is is not enough, there is another service installed that is not visible as an app (com.facebook.services etc.), which you can only uninstall from the data partition with something like ADB/UAD.
Or buy an iPhone or a Pixel.
hereme888
I remember a few years ago analyzing a modern Samsung phone's web traffic. It had by far the most ad-related and monetizing connections out of any other phone I've ever seen. And they were part of "necessary" functions, so you couldn't just block that traffic.
Samsung has great tech, but I avoid because it's so bloated and abusive.
someNameIG
My Samsung phone has Netflix, Spotify, and some Microsoft stuff installed, but nothing from Meta.
jmm5
The Pixel "Private Space" feature should prevent Meta apps from running in the background. It also prevents you from getting notifications.
johnisgood
I tend to buy stock Android, e.g. Motorola moto g30, etc. It still has lots of Google stuff, but you can get rid of them, and I have a work profile specifically designed for Google-related stuff, and my personal profile is de-Googled as much as possible.
danieldk
I would recommend everyone who wants a clean Android to look into Google Pixel phones. Aside from being mostly bloat-free (and most bloat can be uninstalled), it is one of the few phones that supports unlocking/relocking and a secure open source alternative (GrapheneOS).
pests
Article did mention Facebook and Instagram at some versions.
SchemaLoad
Samsung devices are loaded with malware and AI slop in general. I'd avoid them if you at all care about privacy. Since Google is still missing end to end encryption for cloud data, iOS seems like the only good choice currently.
danieldk
iOS sends data to metrics.apple.com, metrics.icloud.com, iadsdk.apple.com, etc. a lot. They are much better than Samsung (who send data to Samsung and other parties), but I am not convinced they are much better than Google devices. It's more who you prefer sending your data to.
In the end something like GrapheneOS is the only good choice. Has all the security features of Pixel (which is similar to iPhone) and the tracking of neither.
shuckles
> Not only our their websites painful which discourages use, websites are more sandboxed.
This isn't remotely true. It is pretty trivial for a well-resourced engineering organization to generate unique fingerprints of users with common browser features.
rbits
Wouldn't native apps be even worse in that regard, most of the time?
dylan604
*: Meta Pixel script was last seen sending via HTTP in Oct 2024, but Facebook and Instagram apps still listen on this port today. They also listen on port 12388 for HTTP, but we have not found any script sending to 12388.
**: Meta Pixel script sends to these ports, but Meta apps do not listen on them (yet?). We speculate that this behavior could be due to slow/gradual app rollout.
fshafique
Two ways to f#ck with these trackers - either send them nothing back, or flood them with lots of fake data.
Somebody also needs to come up with a way to peer to peer share advertiser tracking cookies.
GrantMoyer
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
paxys
People have been prosecuted under that act for clicking "view source" on their web browser. The crime itself is irrelevant. It's more about who you are/what connections you have/who you piss off.
evilos
Has there actually been a conviction purely for "viewing source"?
pona-a
That was a real news story. A journalist looked at the state's educator-credentials checker, viewed the source and saw it had teacher's SSNs in base64 somewhere in the plaintext. Missouri Governor Mike Parson then tried to legally threaten the journalist. Honestly, if this case wasn't as high-profile, I think he might have got a conviction, at least in state court.
https://www.theregister.com/2022/02/15/missouri_html_hacking...
etherealG
exactly, the more interesting question: would anyone be willing to prosecute a Meta executive over this? Sadly, I expect no.
gruez
This only works if you control the code on both sides (ie. on the website being visited and an app running on the phone). It's not some sort of magic hack that allows you to exfiltrate arbitrary browser history. Therefore it's unclear how it can be construed as "hacking" in any meaningful way. As bad non-consensual tracking done by google/meta/whatever are, it's not covered under CFAA.
GrantMoyer
I agree it's not hacking, but the Computer Fraud and Abuse act seems to have a pretty broad definition of computer fraud and abuse. In particular, the technique seems like it might (emphasis mine) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …". Would the other person have a reasonable belief that they didn't authorize access to information which their OS attempts to prevent access to?
I'm not a lawyer, so my question is genuine.
const_cast
I don't know, you're purposefully abusing oversights to completely bypass the sandbox. It's an exploit for sure in my mind, and it seems very intentionally done. Like, it was done this way specifically because it allows them to circumvent other protections they know existed.
threecheese
The yandex one uses client/browser-side code to exfiltrate; it’s within the realm of possibility to abuse this, given a user visits a site under your control.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.
croes
Yes
bravesoul2
Can this cross profiles? That would be a big security issue for corps.
Quick test and if I serve on 8080 on the Userland app it can be accessed from both profiles. So probably yes.
This means an infected app on your personal profile could exchange data with a site visited from a second profile.
lxgr
Only if that site specifically communicates with an (unauthenticated) service bound to a local port though, right?
btown
Which, per the OP, the site would be doing by merely including the Meta pixel, which practically every e-commerce and news site does to track its campaigns and organic traffic.
The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.
lxgr
Yes, but if the concern is not mixing business and personal compartment of the phone, business sites would hopefully not embed a Meta tracking pixel.
> The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity
Definitely, and that's a huge problem. I just don't think Android business profiles are a particular concern here; leaking app state to random websites in any profile is the problem.
Or do Android "business profiles" also include browser sessions? Then this would be indeed a cross-compartment leak. I'm not too familiar with Android's compartment model; iOS unfortunately doesn't offer sandboxing between environments that way.
b0a04gl
webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost. the fact that a browser sandbox still leaks this info is wild. like, you’re telling me port 43800 says more about me than a cookie ever could? and of course, this all runs under the radar—no prompt, no opt-in, just “oh hey, we’re just scanning your machine real quick.” insane. might as well call it metascan™.
kinda makes me nostalgic for simpler times—when tracking meant throwing 200 trackers into a <script> tag and hoping one stuck. now it’s full-on black ops.
i swear, i’m two updates away from running every browser in a docker container inside a faraday cage.
Vinnl
Well, primarily it's the other apps that are saying a lot about you. I think this story emphasises yet again that websites are better for your privacy than apps. (Especially in a browser that has e.g. uBlock Origin, such as Firefox for Android.)
spencerflem
The person working on Arcan runs the browser on a separate machine via Remote Desktop with it set to wipe and re-image itself between sessions.
b0a04gl
crazy
spencerflem
Yes but I kinda love it. Perfectly safe from any future Rowhammer type exploit.
owebmaster
> webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost
Native Apps are doing that, not webrtc. Just prove the web is safer and all that BS about native apps being better is, well, BS.
chedabob
Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?
There is a cert for it in the logs: https://crt.sh/?q=yandexmetrica.com
NoahZuniga
Yes, but presumably they aren't hosting anything on yandexmetrica.com, so any attackeright as wel register yandexmetrica.net and get an ssl cert for that.
These sites both have the same potential for abuse.
will4274
Yup definitely. Edit: the diagram makes it perfectly clear https://yandexmetrica.com:30103/p?...
It even looks like some of the certs were issued by Yandex to Yandex. I guess their cert division will end up writing an incident report for this.
matthberg
A comment I wrote in another HN thread [0] covering this issue:
Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.
There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.
Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].
I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.
That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.
0: https://news.ycombinator.com/item?id=44170099
1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
2: https://nullsweep.com/why-is-this-website-port-scanning-me/
3: https://addons.mozilla.org/firefox/addon/port-authority
4: https://github.com/ACK-J/Port_Authority
5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
JimDabell
There is a specification for blocking this:
https://wicg.github.io/private-network-access/
It gained support from WebKit:
https://github.com/WebKit/standards-positions/issues/163
…and Mozilla:
https://github.com/mozilla/standards-positions/issues/143
…and it was trialled in Blink:
https://developer.chrome.com/blog/private-network-access-upd...
Unfortunately, it’s now on hold due to compatibility problems:
matthberg
Yep! Unfortunately its main method (as far as I remember from when I first read the proposal at least, it may do more) is adding preflight requests and headers to opt-in, which works for most cases yet doesn't block behind-the-lines collaborating apps like mentioned in the main article. If there's a listening app (like Meta was caught doing) that's expecting the requests, this doesn't do much to protect you.
EDIT: Looks like it does mention integrating into the permissions system [0], I guess I missed that. Glad they covered that consideration, then!
0: https://wicg.github.io/private-network-access/#integration-p...
bakkoting
Both Firefox [0] and Chrome [1] are working on successors which rely on permissions prompts instead of preflight requests.
[0] https://groups.google.com/a/mozilla.org/g/dev-platform/c/B8o...
[1] https://groups.google.com/a/chromium.org/g/blink-dev/c/CDy8L...
grg994
The Firefox bug referenced in [0] is open since 2018 (https://bugzilla.mozilla.org/show_bug.cgi?id=1481298)?!
What is so difficult about this?
0. Define 2 blocklists: one for local domains and one for local IP addresses
1. Add a per-origin permission next to the already existing camera, mic, midi, etc... Let's call it LocalNetworkAccess, set it false by default.
2. Add 2 checks in networking stack:
2a. Before DNS resolution check the origins LocalNetworkAccess permission. If false check the URL domain against a domain blocklist, deny the request if matches.
2b. Before the TCP or UDP connect check the the origins LocalNetworkAccess permission. If false check the remote IP address against an IP blocklist, deny the request if matches.
3. If a request was denied, prompt the user to allow or disallow the LocalNetworkAccess permission for the origin, the same way how camera, mic or midi permission is already prompted for.
This is a trivial solution, there is no way this takes more than 2-300 lines of code to implement in any browser engine. Why is it taking years?!
And then of course one can add browser-specific config options to customize the blocklists, but figure that out only after the imminent vulnerability has been fixed.
account42
> There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472)
I would not consider this a legitimate use. Websites have no business knowing what apps you have installed.
matthberg
I agree, yet at least you can kind of see where they're coming from.
I guess a better example would be the automatic hardware detection Lenovo Support offers [0] by pinging a local app (with some clear confirmation dialogs first). Asus seems to do the same thing.
uBlock Origin has a fair few explicit exceptions made [1] for cases like those (and other reasons) in their filter list to avoid breakages (notably Intel domains, the official Judiciary of Germany [2] (???), `figma.com`, `foldingathome.org`, etc).
0: https://pcsupport.lenovo.com/
1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
2: https://github.com/uBlockOrigin/uAssets/issues/23388 and https://www.bundesjustizamt.de/EN/Home/Home_node.html (they're trying to talk to a local identity verification app seems like, yet I find it quite funny)
mschuster91
> the official Judiciary of Germany [2] (???)
That's the e-ID function of our personal ID cards (notably, NOT the passports). The user flow is:
1. a client (e.g. the Deutsche Rentenversicherung, Deutschland-ID, Bayern-ID, municipal authorities and a few private sector services as well) wishes to get cryptographically authenticated data about a person (name and address).
2. the web service redirects to Keycloak or another IDP solution
3. the IDP solution calls the localhost port with some details on what exactly is requested, what public key of the service is used, and a matching certificate signed by the Ministry of Interior.
4. The locally installed application ("AusweisApp") now opens and displays these details to the user. When the user wishes to proceed, the user clicks on a "proceed" button, and is then prompted to either insert the ID card into a NFC reader attached to the computer or a smartphone in the same network as the computer that also has the AusweisApp attached.
5. The ID card's chip verifies the certificate as well and asks for a PIN from the user
6. the user enters the PIN
7. the ID card chip now returns the data stored on it
8. the AusweisApp submits an encrypted payload back to the calling IDP
9. the IDP decrypts this data using its private key and redirects back to the actual application.
There is a bunch of cryptography additionally layered in the process that establishes a secure tunnel, but it's too complex to explain here.
In the end, it's a highly secure solution that makes sure that only with the right configuration and conditions being met the ID card actually responds with sensitive information - unlike, say, the Croatian ID card that will go as far as to deliver the picture on the card in digital form to anyone tapping your ID card on their phone. And that's also why it's impossible to implement in any other way - maaaaybe WebUSB but you'd need to ship an entire PC/SC stack and I'm not sure if WebUSB allows cleaving an USB device that already has a driver attached.
In addition, the ID card and the passport also contains an ICAO compliant method of obtaining the data in the MRZ, but I haven't read through the specs of that enough to actually implement this.
robin_reala
Zoom got busted for something similar five years ago now: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...
account42
IMO browsers should not just block the request but block the whole website with one of those scary giant red banners if something like this is attempted. If all websites get for trying to work around privacy protections is that their attempts might not succeed then there is little incentive not to try.
null
Also: Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940 - June 2025 (26 comments)