Covert web-to-app tracking by Meta and Yandex
Meta and Yandex use a covert tracking method on Android: their native apps (Facebook, Instagram, Yandex apps) listen on fixed localhost ports, and scripts on websites forward browser cookies and metadata to these apps, linking every browsing session to the user's real identity and bypassing privacy protections[1].
Background
Meta (formerly Facebook) operates the world’s largest social networks, Facebook and Instagram, plus Messenger and WhatsApp[2]; its Meta Pixel is a snippet webmasters install to log visitor actions for ad targeting and campaign measurement. Yandex, Russia’s dominant search engine, also runs browsers, maps, taxis, and marketplaces; its free Yandex.Metrica analytics suite records every click, scroll, and session, giving site owners heat-maps, replay videos, and conversion funnels[3].
Covert Web-to-App Tracking
Researchers disclosed on June 3rd, 2025 that Meta and Yandex had been using a covert localhost tracking technique on Android. Native apps (Facebook, Instagram, Yandex Maps, Browser, etc.) silently listened on fixed ports, while embedded web scripts (Meta Pixel, Yandex Metrica) forwarded browser cookies and metadata to these apps, linking every site visit - even in Incognito - to the user’s real identity and bypassing normal privacy boundaries. In addition this opened a security loophole as malicous applications could also listen on these ports and acquire this data, even if the user had no apps of Meta or Yandex installed.
- 2017 - mid-2025: Yandex operated a
localhost-tracking system in apps such as Maps, Browser, and Search, silently receiving web-session cookies and metadata from sites running Yandex.Metrica. - Late 2023 - May 2025: Meta successively refined an equivalent technique, using Facebook and Instagram apps plus the Meta Pixel script to perform the same bypass on Android.
- 3 June 2025: IMDEA Networks, Radboud University, and others publicly disclosed the findings; press reports followed.
- Early June 2025: Both companies halted the data transmissions, removed the
localhostcalls from their analytics scripts, and said they were cooperating with Google on a longer-term fix.
Response from Meta/Yandex
Both companies stopped the data transfers and removed the localhost calls from their tracking scripts within days of the public disclosure. Neither has issued a detailed public statement, but each told reporters it was "working with Google" on a permanent fix [4].
Consumer response
Privacy advocates and security commentators reacted with alarm and criticism, calling the covert localhost tracking a “massive privacy breach” that circumvents Incognito mode, cookie clearing, and Android’s sandbox to link every site visit to a real-world identity. Key complaints center on the deceptive use of a trusted OS feature, the comprehensive user profiles it enables, and the lack of prior disclosure or consent[5][6].
References
- ↑ "Local Mess". Archived from the original on 16 Jan 2026.
- ↑ "Wikpedia - Meta Platforms". Archived from the original on 12 Feb 2026.
- ↑ "Wikipedia - Yandex". Archived from the original on 11 Feb 2026.
- ↑ "Meta pauses mobile port tracking tech on Android after researchers cry foul". Archived from the original on 8 Feb 2026.
- ↑ "Meta and Yandex abuse protocol functionality to secretly track users — even in private browsing mode". Archived from the original on 8 Nov 2025.
- ↑ "Localhost Tracking: The New Privacy Battleground That Could Cost Meta Billions". Archived from the original on 16 Feb 2026.
Add a category with the same name as the product, service, website, software, product line or company that this article is about.
The "Incidents" category is not needed.
Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.