Hacker News

Better link? https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/

Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.

While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.

They used a protocol called WebRTC that allows for establishing direct P2P connections to establish a connection to the Facebook app running on your phone. The FB app knew your identity so it was able to link your in browser actions with your FB identity.

There's a difference between companies stealing data to sell or target ads to you and the government tracking everything you do so they can black bag you if you're too subversive. Neither is great but uninstalling Facebook isn't that hard.

They probably heard your argument and didn’t show you relevant ads just to spike the bowl. 😝