Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users.
This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps.
Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.
How Meta and Yandex de-anonymize Android users Meta Pixel developers have abused various protocols to implement the covert listening since the practice began last September.
Researchers have found that tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing users by abusing legitimate Internet protocols, which causes Chrome and other browsers to covertly send unique identifiers to native apps installed on a device. The misuse, which permits Meta and Yandex to transform transient web identifiers into permanent mobile app user identities, is being looked into by Google, according to the company.
The secret tracking, which is used in the Yandex Metrica and Meta Pixel trackers, enables Yandex and Meta to get around the fundamental security and privacy safeguards offered by the Android operating system and its browsers. For example, Android sandboxing isolates processes to stop them from communicating with the operating system and any other installed apps, thereby denying them access to privileged system resources or sensitive data. Defenses like state partitioning and storage partitioning, which are integrated into all major browsers, make sure that site cookies and other data are off-limits to other sites by storing them in containers specific to each top-level website domain.
A flagrant transgression.
Narseo Vallina-Rodriguez, one of the researchers who made the discovery, stated in an interview that “sandboxing is one of the fundamental security principles that exists in the web, as well as the mobile system.”. There is no interaction between the various elements operating on it because everything is run in a sandbox. This attack vector enables the sandbox between the web and mobile contexts to be broken. The channel made it possible for the Android system to share information between the identity running in the mobile app and what occurs in the browser. “”.
The circumvention, which Yandex started in 2017 and Meta started last September, enables the companies to send cookies or other identifiers from browsers based on Chromium and Firefox to native Android apps for Facebook, Instagram, and other Yandex apps. The businesses can then link the user who is logged into the app to that extensive browsing history.
This misuse has only been seen in Android, and there is evidence that the Yandex Metrica and Meta Pixel only target Android users. Because iOS browsers enable developers to programmatically create localhost connections that apps can monitor on local ports, the researchers say that targeting the platform may be technically possible.
However, the researchers noted that Android has more stringent controls in app store vetting procedures to prevent such abuses, while iOS has more controls over local host communications and background executions of mobile apps. Because of this excessively lenient design, Yandex Metrica and Meta Pixel are able to send web requests with web tracking identifiers to particular local ports that are constantly watched by the Yandex, Facebook, and Instagram apps. Even when using private browsing modes, these apps can connect pseudonymous web identities with real user identities, thereby de-anonymizing users’ online activities on websites that use these trackers.
Yandex Metrica and Meta Pixel are analytics scripts made to assist advertisers in gauging the success of their advertising campaigns. According to estimates, 3 million Yandex Metrica sites and 50.8 million Meta Pixel sites are installed, respectively.
By abusing fundamental features of contemporary mobile browsers that permit browser-to-native app communication, Meta and Yandex are able to get around the restriction. The feature enables browsers to send web requests to local Android ports in order to create a number of services, such as file sharing, developer debugging, and media connections via the RTC protocol.
Both Meta Pixel and Yandex Metrica are using a “weird protocol misuse” to obtain unapproved access to localhost ports on the 127.0, despite having different technical foundations. 0.1 IP address. Browsers use these ports without informing the user. Native apps for Facebook, Instagram, and Yandex listen on those ports in silence, copy identifiers in real time, and associate them with the user who is currently logged in.
The actions are against the terms of service for its Play marketplace and the privacy expectations of Android users, according to a Google representative.
Referring to the developers of the Meta Pixel and Yandex Metrica JavaScript, the representative stated, “The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles.”. “We have already opened our own investigation, made adjustments to lessen these intrusive tactics, and are in direct communication with the parties. “”.
In response to inquiries via email for this article, Meta said: “We are currently negotiating with Google to resolve a possible misunderstanding about how their policies are being applied. After learning about the issues, we made the decision to put the feature on hold while we collaborate with Google to fix the problem. “.
An email requesting comment was not answered by Yandex representatives.
How Android users are de-anonymized by Yandex and Meta.
Since the practice started last September, Meta Pixel developers have exploited a number of protocols to carry out the covert listening. Initially, they made applications send HTTP requests to port 12387. Facebook and Instagram apps continued to monitor the port, but Meta Pixel stopped sending this data a month later.
Meta Pixel changed its approach in November, using port 12387 to call WebSocket, a two-way communication protocol.
WebRTC, a real-time peer-to-peer communication protocol that is frequently used for making audio or video calls in the browser, was also used by Meta Pixel in that same month to introduce a new technique. This approach employed a complex procedure called SDP munging, which is a way for JavaScript code to alter Session Description Protocol data prior to transmission. The SDP munging by Meta Pixel method, which is still in use today, adds important _fbp cookie content to fields intended for connection data. The Facebook or Instagram app can then read the data and link it to the user after the browser sends it to the Android local host as part of a STUN request.
A mitigation that prevented Meta Pixel’s kind of SDP munging was introduced in a beta version of Chrome in May. Meta Pixel added a new technique that switched the STUN and TURN requests, allowing them to get around the mitigation in a matter of days.
The researchers gave a thorough explanation of the _fbp cookie in a post, explaining how it travels from a website to the native app and then to the Meta server.
1. . A background service is created to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580–12585) after the user launches the native Facebook or Instagram app. Users need to be signed in to the apps using their login information.
2. The user accesses a website that integrates the Meta Pixel after opening their browser.
3. At this point, some websites do not embed Meta Pixel until they have received user consent. Websites that require consent are a minority, according to our measurements of the top 100,000 homepages (more than 75% of affected sites do not require user consent).
4. Through WebRTC (STUN) SDP Munging, the Meta Pixel script loads and sends the _fbp cookie to the native Facebook or Instagram app.
5. Additionally, the Meta Pixel script requests https://www with the _fbp value. Facebook . com/tr in addition to additional parameters like the event type (ev), page URL (dl), and browser and website metadata. 3. PageView, AddToCart, Purchase, and Donate.
6. . The browser’s Meta JavaScripts send the _fbp cookie to the Facebook or Instagram apps, which then send it to the GraphQL endpoint (https://graph[. Facebook[/. ]com/graphql) in addition to other persistent user identifiers, connecting users’ Facebook or Instagram accounts to their fbp ID (web visit).
When Yandex Metrica began sending HTTP requests to local ports 29009 and 30102 in May 2017, it was the first time that the tracker was known to link websites visited in Android browsers to app identities. Yandex Metrica also started sending the data to ports 29010 and 30103 via HTTPS in May 2018. When the article was published, both approaches were still in use.
Trackers that use abusive JavaScript have been blocked by some Android browsers. As an example, DuckDuckGo was already blocking IP addresses and domains linked to the trackers, which stopped the browser from providing Meta with any identifiers. Additionally, the majority of the Yandex Metrica-related domains were blocked by the browser. Developers added the missing addresses after the researchers informed DuckDuckGo of the unfinished blacklist.
However, because of its extensive blocklists and built-in mitigation to block requests to the localhost without explicit user consent, the Brave browser also prevented the sharing of identifiers. When using the default privacy setting, Vivaldi, another browser based on Chromium, forwards the identifiers to local Android ports. The researchers claimed that blocking trackers in the settings seems to prevent browsing history leaks.
There must be a better approach.
The different fixes implemented by DuckDuckGo, Brave, Vivaldi, and Chrome are functioning as planned, but the researchers warn that they could stop working at any moment.
Regarding the current mitigations, Vallina Rodriguez stated, “Any browser doing blocklisting will likely enter into a constant arms race, and it’s just a partial solution.”. It’s challenging to create effective blocklists, and browser developers will need to keep an eye on how this kind of capability is being used in order to identify other hostnames that might be abusing localhost channels and update their blocklists appropriately. “”.
“And he went on:”
This solution is effective once you know which hostnames are causing the problem, but it isn’t the best approach to address it because trackers might figure out how to get access to this feature (e.g. A. via additional transient hostnames). In order for users to be aware of this kind of communication and possibly impose some control or restrict this use, a long-term solution should involve designing and developing privacy and security controls for localhost channels. 3. a consent form or other comparable user notifications).
The JavaScript was run as Meta and Yandex intended by Chrome and the majority of other Chromium-based browsers. Firefox did the same, though it was unable to carry out the SDP munging described in later iterations of the code for unclear reasons. The production version of Chrome, which was released two weeks ago, started blocking both the STUN and TURN variants of SDP munging after blocking the STUN variant in the early May beta release. In the upcoming weeks, other browsers that use Chromium are probably going to adopt it as well. An email inquiring about Firefox’s intentions to block the behavior in that browser was not answered.
The current fixes, the researchers caution, are so specific to the code in the Yandex and Meta trackers that a simple update could easily get around them.
The researcher responsible for the original discovery, Gunes Acar, said of the Chrome development team at Google, “They know that if someone else comes in and tries a different port number, they may bypass this protection.”. However, it appears that they wish to convey that they will not put up with this kind of mistreatment. “.”.
According to fellow researcher Vallina-Rodriguez, Android should change how it manages local port access in order to stop the misuse more thoroughly.
He clarified that “the basic problem is that access to the local host sockets is totally uncontrolled on Android.”. Users are unable to stop this type of communication from occurring on their devices. This type of access should be restricted at the mobile platform and browser level, with stricter platform policies to limit abuse, due to the dynamic nature of JavaScript code and the challenge of maintaining blocklists. “”.
Obtaining consent?
The following researchers are responsible for this discovery.
IMDEA Networks PhD candidate Aniketh Girish.
An assistant professor in the Digital Security Group at Radboud University and iHub is Gunes Acar.
Associate Professor Narseo Vallina-Rodriguez of IMDEA Networks.
IMDEA Networks PhD candidate Nipuna Weerasekara.
Tim Vlummens is a doctoral student at KU Leuven’s COSIC.
Acar claimed to have discovered Meta Pixel’s ability to access local ports while browsing the website of his own university.
Neither Meta nor Yandex have revealed the tracking to the websites that host the trackers or to the end users who visit those websites. Developer forums reveal that when the scripts started connecting to local ports, many Meta Pixel-using websites were taken by surprise.
