Billions of users have been exposed to a new system of mass tracking and espionage that both goal and Yandex have used. Both companies have used a technique that took advantage of native applications such as Facebook or Instagram and then monitor everything we did with our mobile browsers. It is a drop more than one glass already Absolutely full: The attack on Our privacy.
What happened. A group of researchers from the IMDEA Networks agency and the Universiteit Radboud of the Netherlands, led by teachers Gunes Care and Nerseo Vallina-Rodríguez, published yesterday An extensive technical article. In it they revealed the technique that they have baptized as ‘local Mess’ (‘Lo Local’) and what a goal has been using since September 2024 and Yandex much earlier, since 2017.
What does ‘Local Mess’. We will focus on goal and its applications, although the method is analogous in Yandex. Android users who use applications such as Facebook or Instagram could be exposed, because those applications “listened to” what happened in the Browsers installed In our mobile phones using local ports (hence the ‘Local Mess’) with the aim of tracking and monitoring everything we did in our browsers.
The user did not know anything. The method allowed these applications to achieve Receive metadata, cookies and commands that were executed in the browsers. The Meta JavaScript code, called Meta Pixel, was loaded silently and without warning as a kind of complement to mobile browsers, and connected to apps such as Facebook or Instagram.
Discouraging users. As these researchers explain, the method allowed access device identifiers that are used for advertising systems, called Android Advertising ID (AAID), and that made it possible to associate everything the user did to a real identity (a Facebook or Instagram profile). The result: what we did in the browser was no longer anonymous or private.
Neither unknown, nor delete cookies nor anything. This “web-top” method eludes systems that theoretically should protect this type of tracking. Thus, neither Delete cookiesnor navigate in Incognito mode It worked when trying to escape that tracking. In fact, the method “opens the door for potentially malicious applications to fit the user’s web activity,” they explain in the document.
Exploiting our “localhost”. Meta and Yandex scripts are slightly different, but both make improper use of unauthorized access to sockets from our localhostthe reserved name that our device has on the local network and that is always the IP 127.0.0.1 (in IPV4) address. The Android operating system allows any application installed with Internet permission to open a listening socket in the Loopback interface (127.0.0.1). The browsers that are executed on the same device also access this interface without the consent of the user or the mediation of the platform. This allows a JavaScript code embedded on web pages to communicate with native Android applications and share identifiers and navigation activity.
Millions of affected websites. For the goal to work in the method, he took advantage of his cookie _FBPvery widespread on websites that make use of this platform. According to Builtwith, a website that allows monitoring the adoption of different technologies, that goal Pixel is embedded in more than 5.8 million websites among which are Xataka. There is a search engine in the final part of the study that allows you to know if a website was exposed and the activity in it could be registered by these scripts.
Scheme of the attack of the attack. Source: Local Mess.
Theoretically, only on Android. The researchers reveal that they only managed to obtain empirical evidence of this technique in Android mobiles. They have not observed such a problem In iOS browsers Or in the applications they evaluated, although they point out that technically achieving something like this on the iPhones is feasible.
Browsers protect themselves. Those responsible for the discovery have followed a communication policy responsible for vulnerabilities and have contacted several browse developers. Chrome already has prepared the patchFirefox’s is in development – but it seems not exposed to the problem in the case of goal – Duckdugo has already solved it and Brave was not affected When using a lock list and when required explicit permission of user for communications with the premises. There is no information on the progress of the patch in Microsoft Edge, which was affected.
And goal has deactivated that option without further ado. Although browsers have taken measures, they are late. Not because there is no solution or the code has been modified, but because goal has decided to stop using it without saying anything. Yesterday the Meta Pixel script stopped sending packages or making requests to localhost. The code responsible for sending that cookie _fbp, indicate in an update in this report, has been almost completely deleted.
Why did this goal? There is a hypothesis about the implementation of this technique by the goal: it could be due to how Google was intended to get rid of third -party cookies in Chrome At some point in 2024. That would have affected companies as a goal, which perhaps would have reacted trying to collect that information with this technique to have a plan B if cookies disappeared.
What says goal. In Xataka we have contacted those responsible for the goal in Spain, and we will update this information if we receive an answer. In The Register they indicate that after contacting the company, Meta has indicated that:
“We are in conversations with Google to solve a possible communication error in relation to the application of their policies. When we are aware of the concerns, we have decided to pause the function while we work with Google to solve the problem.”
What Yandex says. The Russian company has made comments about the problem. Speaking to Android Authority, they explain the following:
“Yandex strictly meets the data protection standards and does not discourage user data. The function in question does not collect any sensitive information and its only objective is to improve the customization of our applications. After examining the problems posed, we have decided to stop using it and we are in the process of eliminating it from our applications. We are also in contact with Google to guarantee full fulfillment of the policies of your application store.”
Image | Goal
In Xataka | EU’s “accepting cookies” was supposed to facilitate life. They make us lose 575 million hours a year
GIPHY App Key not set. Please check settings