Security researchers say Meta and Yandex used native Android apps to listen on localhost ports, allowing them to link web browsing data to user identities and bypass typical privacy protections.

Following the disclosure, researchers observed that Meta’s Pixel script stopped sending data to localhost and that the tracking code was largely removed. The move may help Meta avoid scrutiny under Google Play policies, which prohibit covert data collection in apps.

“We are in discussions with Google to address a potential miscommunication regarding the application of their policies,” a Meta spokesperson told The Register. “Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”

Meta’s spokesperson did not respond to a request to elaborate on the company’s discussions with Google.

What the researchers found

In a report published Tuesday, computer scientists affiliated with IMDEA Networks (Spain), Radboud University (The Netherlands), and KU Leuven (Belgium) describe how the US social media giant and the Russian search engine were observed using native Android apps to gather web cookie data via the device’s loopback interface, commonly known as localhost.

Localhost is a loopback address that a device can use to make a network request to itself. It’s commonly used by software developers to test server-based applications like websites on local hardware.

The researchers – Aniketh Girish (PhD student), Gunes Acar (Assistant Professor), Narseo Vallina-Rodriguez (Associate Professor), Nipuna Weerasekara (PhD student), and Tim Vlummens (PhD student) – say they found native Android apps, including Facebook and Instagram, and Yandex’s Maps and Browser – that listen silently on fixed local ports for tracking purposes.

“These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of websites,” the computer scientists explain. “These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets.”

As these native apps access device identifiers like the Android Advertising ID or handle user identities in Meta apps, the researchers say, they’re able to link mobile browsing sessions and web cookies to user identities.

Essentially, by opening localhost ports that allow their Android apps to receive tracking data, such as cookies and browser metadata, from scripts running in mobile browsers, Meta and Yandex are able to bypass common privacy safeguards like cookie clearing, Incognito Mode, and Android’s app permission system.

The technique also violates assumptions about the scope of first-party cookies, which aren’t supposed to be able to track browsing activity across different websites. According to the researchers, “the method we disclose allows the linking of the different _fbp cookies to the same user, which bypasses existing protections and runs counter to user expectations.”

With regard to Meta, the tracking process involves scripts associated with Meta Pixel, analytics code used by marketers to gather data about interactions with websites.

Various APIs and protocols can be used to implement the described app-web eavesdropping scheme. These include: SDP munging, which involves manually modifying Session Description Protocol (SDP) messages before the data gets passed to the browser; real-time communications protocols Websocket and WebRTC; Session Traversal Utilities for NAT (STUN), an address discovery mechanism; and Traversal Using Relays around NAT (TURN), a router restriction bypass method.

The researchers describe Meta’s approach thus:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.
2. The user opens their browser and visits a website integrating the Meta Pixel.
3. At this stage, websites may ask for consent depending on the website’s and visitor’s locations.
4. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
6. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users’ fbp ID (web visit) with their Facebook or Instagram account.

Researchers observed Meta implementing this technique starting in September 2024, transmitting data via HTTP. Third-party developers working with Meta APIs noted and questioned the behavior in forum posts at the time.

HTTP-based data transmission using this technique supposedly ended the following month, but other methods of transmission (WebSocket, WebRTC STUN (w/ SDP Munging), and WebRTC TURN (w/o SDP Munging)) were identified in subsequent months.

Presently, however, Meta’s use of these techniques appears to have halted. According to the researchers, “As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed.”

Yandex’s use of localhost-based tracking dates back to 2017, according to the researchers.

The Register sought to ask Yandex media relations about the researchers’ claims but our inquiry was bounced as spam.

The report authors note that their disclosure to Android browser vendors has led to several mitigations.

Chrome 137, which shipped May 26, 2025, includes countermeasures to block the SDP Munging technique used by Meta Pixel, though these have only been made available to a subset of users participating in a gated field trial. A fix is currently being developed for Mozilla Firefox. Brave is unaffected as it requires consent for localhost use. And DuckDuckGo has modified its blocklist to stop Yandex’s scripts.

Beyond these, the authors suggest a Google proposal to create a new “local network access” permission that could help mitigate localhost-based tracking in the future. A prior proposal along these lines ran into technical barriers. ®