A recent investigation has uncovered that native Android apps from Meta (including Facebook and Instagram) and Yandex have been covertly tracking billions of users by exploiting localhost communications—a mechanism that allows apps and browsers on the same device to silently exchange data, bypassing standard privacy safeguards.
How the tracking works
Researchers discovered that both Meta and Yandex apps, once installed and running in the background, open and listen on specific local network ports (localhost, 127.0.0.1) on Android devices. When a user visits a website embedding Meta Pixel or Yandex Metrica scripts, these scripts attempt to communicate directly with the corresponding native apps via these local ports.
- Meta’s Method: The Meta Pixel JavaScript, found on millions of websites, transmits the _fbp cookie—a unique browser identifier—using WebRTC to UDP ports 12580–12585. Facebook and Instagram apps listen on these ports, receive the _fbp cookie, and link it to the user’s logged-in account, effectively bridging web browsing activity with persistent app identities. This process bypasses protections like cookie deletion, Incognito Mode, and Android permission controls.
- Yandex’s Method: Since 2017, Yandex Metrica scripts have initiated HTTP/HTTPS requests to localhost ports (e.g., 29009, 30102, 29010, 30103), where Yandex apps listen. The apps respond with encrypted device identifiers (such as the Android Advertising ID), which the browser script then forwards to Yandex servers. This allows Yandex to associate web activity with device-level identifiers, regardless of browser or privacy settings.
Bypassing privacy controls
This localhost-based tracking undermines established privacy defenses:
- Clearing cookies or using Incognito Mode does not prevent the linking of web and app identities.
- Android’s permission system is circumvented, as browsers and apps communicate internally without user consent.
- Even without accepting cookie consent banners, many sites initiate these localhost communications by default, exposing users without explicit approval.
Potential for abuse and data leakage
The use of HTTP for localhost communication, particularly by Yandex, introduces additional risks. Malicious third-party apps could listen on the same ports and intercept web browsing history, even in private browsing modes. Proof-of-concept demonstrations confirmed that browsers like Chrome, Firefox, and Edge are vulnerable to this form of data leakage, while Brave and DuckDuckGo have implemented protections against such exploits.
Industry response
Following the disclosure, Meta rapidly removed the code responsible for this tracking from its Pixel script as of June 3, 2025. Browser vendors have also begun to respond:
- Brave blocks localhost requests from web scripts, effectively neutralizing these tracking attempts.
- DuckDuckGo has blacklisted the relevant scripts.
- Chrome and Firefox are developing patches to address the vulnerability, with updates expected soon.
Scope and prevalence
Meta Pixel is embedded on over 5.8 million websites, while Yandex Metrica appears on nearly 3 million. Crawls of the top 100,000 websites revealed that tens of thousands actively attempt localhost communications, often before any user consent is given.
This case highlights a significant gap in mobile and web privacy models: localhost communications remain largely unregulated and invisible to users, allowing persistent cross-platform tracking. While some browsers are moving to block these techniques, comprehensive solutions will require coordinated changes across operating systems, browsers, and app stores to fully protect user privacy.
This research demonstrates the urgent need for stronger privacy protections and transparency around how apps and web scripts interact on users’ devices. As platforms race to patch these vulnerabilities, users are advised to use browsers with robust localhost protections and to remain vigilant about the apps installed on their devices.