Trust in Meta regarding privacy and data security is hard to maintain, yet the extent of their data collection practices continues to astonish. A recent investigation illuminated how Meta, alongside Yandex—a notable technology firm from Russia—has been exploiting a security vulnerability in Android to monitor a staggering number of users. This means they’re able to extract potentially sensitive browsing information covertly, provided the users have their respective apps installed on their devices.

Understanding the Mechanics of This Tracking

According to the findings, Android’s structure grants any application with internet access the ability to utilize the “loopback address,” or localhost. This address facilitates internal communication, allowing installed apps to gain insights into browsing activities originating from web browsers. Consequently, JavaScripts embedded on certain pages can link to Android applications, transferring data alongside user identifiers.

But what specific scripts are responsible for this? Notably, Meta Pixel and Yandex Metrica enable firms to monitor interactions on their websites. Typically, Meta Pixel operates within the boundaries of web browsing; however, the loopback mechanism allows it to relay browsing details, cookies, and identifiers back to Meta applications such as Facebook and Instagram. Yandex’s apps, like Yandex Browser and Maps, are similarly implicated.

Many users likely did not anticipate such tracking when downloading Instagram on their Android devices. Yet, upon logging in, subsequent visits to sites embedding Meta Pixel could lead to unauthorized data transmissions back to the app, granting Meta insights gleaned not just from browsing, but through “unrelated” apps like Instagram.

This concerning issue affects major browsers including Chrome, Firefox, and Edge. DuckDuckGo attempted to mitigate some of the tracking by blocking several domains but was not entirely effective. Conversely, Brave implements a user consent requirement that effectively prevents such tracking by blocking access to localhost unless permission is granted.

Reports indicate that Yandex has engaged in this practice since February 2017 for HTTP websites and May 2018 for HTTPS. In contrast, Meta Pixel’s tracking activities commenced in September 2024 for HTTP and ceased shortly thereafter, only to reinvent tracking methods using WebSocket and WebRTC STUN from November and WebRTC TURN starting in May of the subsequent year.

Concerns and complaints from website owners emerged as early as September, prompting inquiries regarding Meta Pixel’s interactions with localhost. However, researchers discovered no response from Meta regarding these concerns.

The Possibility of Similar Tracking on iOS

While the mechanisms for similar tracking could theoretically exist within the iOS ecosystem, due to its allowance for localhost connections, no evidence currently suggests such practices on Apple devices. This discrepancy appears to stem from stricter background operation constraints imposed by iOS.

Meta Has Ceased This Tracking Practice

In a positive development, as of June 3, researchers noted a lack of activity from Meta Pixel communicating with localhost. Yandex Metrica’s status remains less clear, though Yandex has indicated its intent to cease these practices. Furthermore, Google has initiated an investigation into what it deems a clear violation of privacy and security policies.

Even with Meta’s cessation of this tracking, the fallout could be far-reaching. Estimates suggest that Meta Pixel is employed across 2.4 to 5.8 million sites. The researchers identified over 17,000 U.S.-based sites using Meta Pixel that attempted connections to localhost—an alarming 78% of these instances occurred without any user consent. Prominent sites such as AP News, Buzzfeed, and The Verge are among those reported, indicating a substantial risk of private data exposure through these channels. A tool is available to check affected sites, although the list is not definitive, meaning sites not listed might still pose a risk.

In response to inquiries regarding this situation, Meta issued a statement: “We are engaged in discussions with Google to clarify any possible misunderstandings about the enforcement of their policies. Upon recognizing these concerns, we opted to suspend the feature while we collaborate with Google to address the matter.”