A new investigation has uncovered a covert tracking mechanism used by Meta and Yandex that potentially affects billions of Android users. At the heart of the issue lies a silent communication channel between mobile browsers and native apps on the same device, enabled via localhost sockets. The technique effectively links anonymous web browsing to real-world user identities.
This discovery was made by researchers with IMDEA Networks Institute, Radboud University, and The Computer Security and Industrial Cryptography research group (COSIC) at the Department of Electrical Engineering of KU Leuven.
Tracking via Localhost: A Hidden Bridge
The discovery reveals that Android apps like Facebook, Instagram, and several Yandex services (including Maps, Browser, and Navigatorlisten) on fixed local ports. These ports silently receive data from JavaScript tracking scripts embedded on millions of websites: Meta Pixel and Yandex Metrica.
Here’s how it works: when a user visits a site containing one of these scripts, their mobile browser connects to the device’s own apps through localhost (127.0.0.1). These apps, already logged in and authorized, receive metadata, cookies, and other identifiers, transmitted without user consent or OS mediation.
The result? A seamless link between ephemeral browser sessions and long-lived mobile identifiers like the Android Advertising ID (AAID).
This bypasses privacy controls, Incognito mode, cookie clearing, and Android permissions. Worse, it opens up the possibility of malicious apps eavesdropping on user activity.
Meta: Bridging Cookies and Identity via STUN
The Meta Pixel script transmits its _fbp cookie using WebRTC’s STUN protocol to UDP ports 12580–12585. Facebook and Instagram apps, available on the Play Store, are found actively listening on these ports. This allows them to intercept the _fbp identifier, normally siloed by first-party cookie policies, and tie it back to logged-in users.
In practice:
- The user opens the Facebook or Instagram app.
- The app sets up listeners on specific ports.
- The user visits a Pixel-enabled website.
- JavaScript on the site sends the _fbp cookie via WebRTC to the app.
- The app ties this to user identity and sends it to Meta’s servers via GraphQL.
This sidesteps browser isolation mechanisms and undermines the assumption that _fbp cookies cannot track users across sites. The cookie, used on ~25% of top websites, becomes a stable identifier once linked to a real user account.
In May 2025, Meta quietly updated the Pixel to use TURN instead of STUN, shifting away from a technique (SDP Munging) that Chrome developers began disabling after this issue came to light. As of early June, however, Meta apps no longer appear to be listening on the new TURN ports.
Yandex: HTTP Requests to Loopback Since 2017
Yandex’s method dates back to 2017. The Metrica script sends encrypted HTTP and HTTPS requests to specific local ports, 29009, 29010, 30102, and 30103. Apps like Yandex Maps and Yandex Browser listen on these ports, collect identifiers such as AAID and UUIDs, and return them to the browser context. The browser then uploads this data to Yandex’s servers.
Unlike Meta’s direct-to-server model, Yandex apps act as proxies. The local port data is embedded in Base64, encrypted, and passed back to the Metrica JavaScript running in the browser. These apps even fetch their listening port list from a remote Yandex server, delaying activation by several days to avoid easy detection.
One particularly stealthy move: the Yandex Metrica script resolves the domain yandexmetrica[.]com to 127.0.0.1, masking its localhost communication as standard HTTPS traffic.
Proof-of-Concept Shows Browsing History Leakage
Because Yandex uses plain HTTP for local communications, any Android app with listening access to those ports can snoop on incoming data, effectively collecting users’ browsing history. The Origin HTTP header betrays the visited website.
Researchers built a proof-of-concept Android app to demonstrate this risk. Browsers like Chrome, Firefox, and Edge were found vulnerable, even in private mode. Brave and DuckDuckGo fared better due to aggressive localhost blocking.
While only Meta and Yandex apps were observed using these ports, the possibility for other apps to eavesdrop remains very real.
Scale of Exposure
Meta Pixel is embedded on over 5.8 million websites, and Yandex Metrica appears on close to 3 million. According to HTTP Archive, 2.4 million and 575,000 of those, respectively, were live as of last month.
A recent web crawl of the top 100,000 websites reveals just how widespread and privacy-invasive these tracking practices have become. In the US, the Meta Pixel was embedded on over 17,000 websites, with 78.2% of those actively initiating localhost communications (attempting to connect with native Meta apps) even before users gave consent.
In Europe, a similar pattern emerged: Meta Pixel appeared on more than 15,600 sites, with 75.8% initiating such communications without user approval. Yandex Metrica showed even more aggressive behavior. Although present on fewer websites, around 1,300 in both regions, over 83% of those in the U.S. and 84% in Europe attempted to establish localhost connections automatically.
These figures suggest that the vast majority of sites using Meta Pixel or Yandex Metrica attempt to link web activity to mobile identifiers without explicit user consent, bypassing privacy expectations and protections.
In many cases, websites initiated localhost tracking before users had a chance to give or deny consent.
A Troubling Truth
This revelation cracks open a troubling truth: privacy protections assumed safe on Android—cookie clearing, Incognito Mode, app sandboxing, can be quietly sidestepped. Through creative abuse of localhost sockets, Meta and Yandex have effectively built private pipelines between the browser and native app realms.
While the browser world enforces boundaries, the Android OS grants apps with basic internet permissions the power to listen on localhost, without oversight, logging, or user awareness.
This gap in Android’s design may have just become one of the most significant privacy vulnerabilities of the mobile era.
This story is based on technical findings disclosed by security researchers and verified through controlled experiments. Meta and Yandex have not responded to requests for comment as of publication time.
A Deliberate Circumvention of Safeguards
Ted Miracco, a mobile cybersecurity expert and CEO of Approov, says: “This technique represents a deliberate circumvention of established privacy safeguards, undermining cookie deletion, incognito browsing, and the fundamental separation between browser and app activity. By facilitating persistent cross-context tracking without user knowledge or consent, Meta appears to be in direct violation of key provisions of the GDPR, CCPA, and ePrivacy Directive. Given Meta’s history, this warrants immediate regulatory scrutiny and reinforces the urgent need for stronger enforcement of data protection standards.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.