1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
So main application for WebRTC is de-anonymisation of users (for example getting their local IP address). Why it is not hidden behind permission I don't understand.
The main application for WebRTC is peer to peer data transfer.
I think you can make the argument that it should be behind a permission prompt these days but it's difficult. What would the permission prompt actually say, in easy to understand layman's terms? "This web site would like to transfer data from your computer to another computer in a way that could potentially identify you"? How many users are going to be able to make an informed choice after reading that?
The existing killer app for WebRTC is video chat without installing an app, which is huge.
Other P2P uses are very cool and interesting as well - abusing it for fingerprinting is just that, abusing a user-positive feature and twisting it for identification, just like a million other browser features.
Because the decision makers don't care about privacy, they only want you to think that you have privacy, thus enabling even more spying.
One solution is to not use the apps and websites from companies that are known to abuse WebRTC or something else.
This is not unique to WebRTC. The same result could be achieved by sending a http request to localhost. The only difference in this case is that using WebRTC doesn't log a http request
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
Yes? The cookie in question is First Party, which means you’ve consented to permitting only that party to track you using it, and not permitting its use for wider behavioral tracking across websites.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
IANAL, but it's not GDPR-conformant consent in any way. Consent needs to be informed, unambiguous, and freely given to be valid and should be easy to reject. The only way for this to be valid would be a consent form with something like:
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
A reminder that it's possible to use tools like XPL-EX to circumvent those attempts. Also ad blocking via adaway would do the trick here I assume, as it should block Meta Pixel tracking. Overall, awful approach.
I wish we could just ban advertising and tracking on the internet. I feel like so much crap these days has come out of it, all so that CEOs can afford an extra yacht
It's already enough to just have plain ads. Like we have them on the streets, at the bus station, newspapers, etc. No tracking needed at all, just give out the message. If you need to target people to it in the context of the place or content you are showing it with. But you don't need to know anything about the user seeing the ad. Targeting by user doesn't work anyway.
Depending on the data you collect, targeting by user - unfortunately - works. If the granularity is not one user, it will be a hundred. If not, a thousand, and so on. I've seen apps run ads targeting a total of 5 cohorts(together holding a hundred million users), and I've seen companies run ads targeting 100s of cohorts with the same number of users. They all work better than no targeting at all.
However what you're saying isn't completely wrong. I've also seen user targeting become a self-fulfilling prophecy. What happens is that it's championed by a high level executive as the panacea for improving revenue, implemented, and seen to not work. Now, as we all now, the C*O is Always Correct, so everything else around it is modified until the user-level targeting A/B test shows positive results. Usually this ends up in the product being tortured into an unusable mess.
I don't think it has to go that far. I think there's a middle ground here that people would accept: show us ads, but make it a one-way firehose, like TV and billboards. If you need to advertise to pay for the site, put up all the banners you want. But don't try to single me out for a specific one.
If it could pay for network TV there's no reason it can't pay for a website.
(You could still do audience-level tracking, e.g. "Facbebook and NCIS are both for old people, so advertise cruises and geriatric health services on those properties")
The problem is their greed is unlimited and their power/influence and purchasing power is relative to all of the other billionaires corrupting government and making every little facet of life of ordinary people more expensive, miserable, transactional, and punitive.
Reddit has fairly extensive device fingerprinting. And they are selling data for training AI models. It's only a matter of time before there is some premium phone app that monetizes data that otherwise isn't available/for sale.
This type of thing is pure greed, completely distinct from a highly aggressive pursuit of far more lucrative opportunities that average businessmen have been able to accomplish in the extreme interest of their shareholders.
Those true leaders are the traditional examples who have shown success over the centuries, without letting any greed whatsoever become a dominant force, recognizing and moving in the opposite direction from those driven by overblown self-interest, who naturally have little else to offer. It can be really disgraceful these days but people don't seem to care any more.
That's one thing that made them average businessmen though.
Now if you're below-average I understand, but most companies' shareholders would be better off with a non-greedy CEO, who outperforms by steering away from underhanded low-class behavior instead.
Now if greed is the only thing on the table, and somebody like a CEO or decision-making executive hammers away using his only little tool with admirable perseverance long enough, it does seem to have a likelihood of bringing in money that would not have otherwise come in.
This can be leveraged too, by sometimes even greedier forces.
All you can do is laugh, those shareholders might be satisfied, but just imagine what an average person could do with that kind of resources. It would put the greedy cretins to shame on their own terms.
And if you could find an honest above-average CEO, woo hoo !
The majority of internet users are either unwilling or unable to pay for content, and so far advertising has been the best business model to allow these users to access content without paying. Do you have a better suggestion?
They are able, because in the end advertising is also paid by customers. The complications are:
- Paying for services is very visible, whereas the payment for advertising is so indirect that you do not feel like you are paying for it.
- The payments for advertising are not uniformly distributed, people with more disposable income most likely pay more of overall advertising. But subscriptions cannot make distinctions between income.
- People with disposable income are typically the most willing to pay for services. However, they are also the most interesting to advertisers. For this reason, payment in place of ads is often not an option at all, because it is not attractive to websites/services.
I think banning advertising would be good. But I think a first step towards that would be completely banning tracking. That would make advertisements less effective (and consequently less valuable) and would pose services to look for other streams of income. Plus it would solve the privacy issue of advertising.
>The majority of internet users are either unwilling or unable to pay for content
Except for Spotify, News subscriptions, videogame subscriptions, video streaming services, duolingo, donations, gofundmes, piracy services!, clothing and food subscriptions! etc etc
People pay $10 for a new fortnite skin. You really pretending they won't pay for content?
People were willing to pay for stuff on the internet even when you could only do so by calling someone up and reading off your credit card number and just trusting a stranger.
Meanwhile, the norm until cable television for "free" things like news was that you either paid, or you went to the library to read it for free.
Sure, this entire business model has been cataclysmic for traditional media organizations and news outlets and peoples trust in institutions has plummeted in correlation, so, let’s just fucking scrap it and go back to payed media.
I think that might be a rhetorical device bequeathed to you by the social media companies.
People of course do pay for things all the time. It’s just the social media folks found a way to make a lot more money than people would otherwise pay, through advertising. And in this situation, through illegal advertising.
The best thing we can all do is refuse to work for Meta. If good engineers did that, there would be no Meta. Problem solved. But it seems many engineers prefer it this way.
By defining the $thing, banning the $thing per definition by law, and then tasking FBI-like organization enforce the law? It won't completely go away but it will subside, like how gambling on Internet is divided binary and confined into lootbox games without cashing features and straight up scam underground casinos.
Personally I think we should start from separating good old ads(that existed before I was 15) and Internet "ads". The old ads were still somewhat heavily targeted, but less than it is now. There probably would be an agreeable line up to which level advertisement efforts can be perverted.
I think the main problem is lots of money are made from it, and money influences politics hugely. The technical difficulties are low on the list of reasons this is not happening.
A lot of things I would have previously said were impossible have happened in the last half year. If only a few of those things were of the impossibly good type.
...and so consumers can use services/products without having to fork over money.
People love the ad-model. Given the option to pay or use the "ad-supported" option, the ad-supported one wins 10 to 1. This means in many cases it doesn't even make sense to have a paid option, because the ad option is just so much more popular.
As bad as crypto is, with all the negative things attached to it, BAT was probably one of the smartest things to be invented. A browser token that automatically dispenses micropayments to websites you visit. Forget all the details to get snagged on, the basic premise is solid: Pay for what you use. You become the customer, not the advertisers.
Also a note about ad-blocking - it only makes the problem worse. It is not a "stick it to the man" protest. You protest things by boycotting them, or paying their competitors, not by using them without compensating them.
There is no such thing as a free lunch. Consumers on average are forking over the money. Otherwise no one would pay for advertising. And they are paying more than they would have otherwise since this dystopian tracking apparatus isn't free either.
Yes, we need ads for a free internet, today. And, as a result, we also have our privacy eroded - eroded in ways we may not care about today, but will probably regret tomorrow.
If we must pay for the internet, give me an option to pay to use it where I see no ads and my privacy is preserved. Let me know what that cost is and I'll decide what I want to do.
Right now, the actual pricing is obscured so we just "accept" that the internet in its current form is how it needs to be.
I really liked the concept of BAT but the reality left me wanting.
Things like "we'll hang on to the tokens of sites that don't use BAT yet for them until they join" gave negative vibes.
It all felt a little underbaked. I swing back to Brave once in a blue moon and then remember I've got at least $20's worth of BAT lost forever somewhere.
The deprecation of third-party cookies, that all browsers were at one point on track to implement, was pretty much the most realistic first step to that. Which is why Google killed it last year by leveraging their control over Chrome.
While not technically a crime, it was a disgusting, unethical market manipulation move that never really got the public outrage it deserved.
Google execs’ initial support for it was also telling: leadership at Google must literally thought they would find another way to stay as profitable as they are without third-party cookies. Put another way: Google leadership didn’t understand cookies as well as someone who’s taken a single undergrad web dev class. (Or they were lying all along, and always planned to “renege” on third-party cookie deprecation.)
I don't think that's quite what happened. Google got in anti-trust trouble because they have an unfair advantage in user-tracking, given logged in Chrome accounts. Removing third-party cookies hurts other privacy-invading companies without substantially affecting Google. It was still somewhat on track to be removed from Chrome until they lost their antitrust battle, and Chrome was required to be spun off. With Chrome's new future, and Google's new legal constraints, there's less incentive to try and make Privacy Sandbox work. At least, that was my understanding; I didn't follow it all that closely.
This is very misleading. Google was prevented from disabling third-party cookies due to intervention by the CMA, who felt it would provide an unfair advantage over other advertisers. Google argued their case for years, proposed competing standards to act as a replacement (see Topics API), and eventually gave up on the endeavour altogether and simply made it a user toggle.
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
The EU should set some record breaking fines for this.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
I agree they should. But I don't think the EU has any real ability to send American tech execs to jail. At most they can stop them doing business in the EU.
I am not sure which Meta apps open ports, but e.g. Samsung phones come with a bunch of Meta apps pre-shipped. IIRC just removing the Facebook app is is not enough, there is another service installed that is not visible as an app (com.facebook.services etc.), which you can only uninstall from the data partition with something like ADB/UAD.
I remember a few years ago analyzing a modern Samsung phone's web traffic. It had by far the most ad-related and monetizing connections out of any other phone I've ever seen. And they were part of "necessary" functions, so you couldn't just block that traffic.
Samsung has great tech, but I avoid because it's so bloated and abusive.
I tend to buy stock Android, e.g. Motorola moto g30, etc. It still has lots of Google stuff, but you can get rid of them, and I have a work profile specifically designed for Google-related stuff, and my personal profile is de-Googled as much as possible.
Samsung devices are loaded with malware and AI slop in general. I'd avoid them if you at all care about privacy. Since Google is still missing end to end encryption for cloud data, iOS seems like the only good choice currently.
> Not only our their websites painful which discourages use, websites are more sandboxed.
This isn't remotely true. It is pretty trivial for a well-resourced engineering organization to generate unique fingerprints of users with common browser features.
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
People have been prosecuted under that act for clicking "view source" on their web browser. The crime itself is irrelevant. It's more about who you are/what connections you have/who you piss off.
This only works if you control the code on both sides (ie. on the website being visited and an app running on the phone). It's not some sort of magic hack that allows you to exfiltrate arbitrary browser history. Therefore it's unclear how it can be construed as "hacking" in any meaningful way. As bad non-consensual tracking done by google/meta/whatever are, it's not covered under CFAA.
I agree it's not hacking, but the Computer Fraud and Abuse act seems to have a pretty broad definition of computer fraud and abuse. In particular, the technique seems like it might (emphasis mine) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …". Would the other person have a reasonable belief that they didn't authorize access to information which their OS attempts to prevent access to?
The yandex one uses client/browser-side code to exfiltrate; it’s within the realm of possibility to abuse this, given a user visits a site under your control.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.
I don't know, you're purposefully abusing oversights to completely bypass the sandbox. It's an exploit for sure in my mind, and it seems very intentionally done. Like, it was done this way specifically because it allows them to circumvent other protections they know existed.
*: Meta Pixel script was last seen sending via HTTP in Oct 2024, but Facebook and Instagram apps still listen on this port today. They also listen on port 12388 for HTTP, but we have not found any script sending to 12388.
**: Meta Pixel script sends to these ports, but Meta apps do not listen on them (yet?). We speculate that this behavior could be due to slow/gradual app rollout.
So, could some other app send data to these ports with a fake message? I'm asking for a friend that likes to do things for science.
Which, per the OP, the site would be doing by merely including the Meta pixel, which practically every e-commerce and news site does to track its campaigns and organic traffic.
The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.
All apps + the web browser being able to communicate freely over a shared localhost interface is such a glaring security hole that I'm surprised both iOS and Android allow it. What even is a legitimate use case for an app starting a local web server?
Doesn't iOS prompt you to give apps permission to connect to your local network? "App would like to find and connect to devices on your local network" or something along those lines. I always hit the "no thanks" button.
I expose a LAN accessible status board from an app via HTTP. The app runs completely offline, thus I can't rely on something hosted on the public internet.
My last electron app did effectively the same thing. I took the hosted version of my app and bundled in electron for offline usage with the bundled app being just a normal web application started by electron.
A long time ago I used it to work around an iOS limitation that prevented apps from simultaneously streaming audio and caching it. You could give the media player a URL for a remote stream, but you couldn’t read the same stream. The alternative was to get the stream yourself and implement your own media player. I didn’t want to write my own media player, so I requested the stream myself in order to cache it, plus fed it back to the
OS media player via localhost http. Total hack, but it worked great. I wonder if they ever took that code out. It’s got hundreds of millions of installs at this point.
Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?
Yes, but presumably they aren't hosting anything on yandexmetrica.com, so any attackeright as wel register yandexmetrica.net and get an ssl cert for that.
These sites both have the same potential for abuse.
A comment I wrote in another HN thread [0] covering this issue:
Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.
There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.
Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].
I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.
That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.
Yep! Unfortunately its main method (as far as I remember from when I first read the proposal at least, it may do more) is adding preflight requests and headers to opt-in, which works for most cases yet doesn't block behind-the-lines collaborating apps like mentioned in the main article. If there's a listening app (like Meta was caught doing) that's expecting the requests, this doesn't do much to protect you.
EDIT: Looks like it does mention integrating into the permissions system [0], I guess I missed that. Glad they covered that consideration, then!
I agree, yet at least you can kind of see where they're coming from.
I guess a better example would be the automatic hardware detection Lenovo Support offers [0] by pinging a local app (with some clear confirmation dialogs first). Asus seems to do the same thing.
uBlock Origin has a fair few explicit exceptions made [1] for cases like those (and other reasons) in their filter list to avoid breakages (notably Intel domains, the official Judiciary of Germany [2] (???), `figma.com`, `foldingathome.org`, etc).
IMO browsers should not just block the request but block the whole website with one of those scary giant red banners if something like this is attempted. If all websites get for trying to work around privacy protections is that their attempts might not succeed then there is little incentive not to try.
webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost. the fact that a browser sandbox still leaks this info is wild. like, you’re telling me port 43800 says more about me than a cookie ever could?
and of course, this all runs under the radar—no prompt, no opt-in, just “oh hey, we’re just scanning your machine real quick.” insane. might as well call it metascan™.
kinda makes me nostalgic for simpler times—when tracking meant throwing 200 trackers into a <script> tag and hoping one stuck. now it’s full-on black ops.
i swear, i’m two updates away from running every browser in a docker container inside a faraday cage.
Well, primarily it's the other apps that are saying a lot about you. I think this story emphasises yet again that websites are better for your privacy than apps. (Especially in a browser that has e.g. uBlock Origin, such as Firefox for Android.)
I built a little lan tool https://router.fyi that tries to get LAN data for a sort of online-nmap.
depending on your browser, it's sometimes capable of finding wifi printers and a couple other smart home devices i've manually added.
Of course the ID was easy to abuse, and I assume Google knew this, and also knew they'd need to have rules against abuse... and that they'd need to back up the rules with penalties, like Play Store permaban, legal action for damages, and maybe even referral for criminal investigation (CFAA violation?).
Unfortunately, even if they did have such rules, in this case, Meta is a too-big-to-deplatform tech company.
(Also, even if it wasn't Meta, sketchy behavior of tech might have the secret endorsement of IC and/or LE. So, making the sketchiness stop could be difficult, and also difficult to talk about.)
Google and Apple are owning their whole operating systems. They can do tracking directly in 50 different ways. Other corporations routinely renegotiate deals on sharing the user surveillance data with them, for big big money. So it all has already been paid for, and authorised. The only problem is that some stupid serfs are still making a fuss over it.
If I recall correctly Figma uses it to connect to the locally installed app, and Discord definitely uses it to check if its desktop app is installed by scanning ports (6463-6472).
I'm aware of two blockers for LAN intrusions from public internet domains, uBlock Origin has a filter list called "Block Outsider Intrusion into LAN" [0] under the "Privacy" filters, and there's a cool Firefox extension called Port Authority [1][2] that does pretty much the same thing yet more specifically targeted and without the exclusions allowed by the uBlock filterlist (stuff like Figma's use is allowed through, as you can see in [0]). I've contributed some to Port Authority, too :)
There are surely other ways to achieve this. If you are logged into an app and the site at tbe same time they can use the server to communicate. Discord doesn't need to know if the app is installed to work. That sounds sketchy.
A commenter mentioned [1] that major Russian apps now all ask for permission to read a unique device ID to deanonymize users. The people that stopped Intel from adding such an ID to their CPUs had perfect foresight [2] (too bad later Intel added it anyway). But then it's not hard to guess that if you include a feature whose purpose is to attack the user, it will be used to attack the user.
Probably hard to do for many but the solution seems be not to have their apps installed. It’s crazy to me that people tolerate FB et al on their devices where you have absolutely no control over what they’re doing.
I agree wrt Facebook, but there’s a long tail of useful apps-that-should-be-websites; 1 click for an app versus 45 seconds searching through tabs and re-logging in (etc) can be meaningful, especially when there are fifty of them.
My healthcare provider recently yanked the mobile version of their portal website, and forces users to download their app. Personally, I see the security angle, but still feel like it’s a punch in the face and so I just went back to paper billing and using a PC for healthcare stuff. More of this is coming, I suspect.
Possible, but potentially not as practical due to the iOS’ restrictive background process model. There, background tasks are generally expected to quickly do whatever it is they need to and exit and generally can’t run indefinitely. Periodic tasks are scheduled by the OS, with scheduling requests from apps being more likely to be honored if their processes are well-behaved (quick, low resource, don’t crash, and don’t run too frequently) with badly-behaved processes getting run less often.
Apps that keep themselves open by reporting that they’re playing audio might be able to work around this, but it’d still be spotty since users frequently play media which would suspended those backgrounded apps and eventually bump them out of memory.
A quite obvious attack mechanism, I'm surprised browsers permitted this in the first place. I can't think of a reason to STUN/TURN to localhost. Aside from localhost, trackers can also use all other IP addresses available to the browser to bind their apps/send traffic to.
Now that the mechanism is known (and widely implemented), one could write an app to notify users about attempted tracking. All you need to do is to open the listed UDP ports and send a notification when UDP traffic comes in.
For shit and giggles I was pondering if it was possible to modify Android to hand out a different, temporary IPv6 address to every app and segment off any other interface that might be exposed just because of shit like this (and use CLAT or some fallback mechanism for IPv4 connectivity). I thought this stuff was just a theoretical problem because it would be silly to be so blatant about tracking, but Facebook proves me wrong once again.
I hope EU regulators take note and start fining the websites that load these trackers without consent, but I suspect they won't have the capacity to do it.
> hand out a different, temporary IPv6 address to every app and segment off any other interface that might be expose
Yes, but (AFAIK) not out of the box (unless one of the security focused ROMs already supports this). The kernel supports network namespaces and there's plenty of documentation available explaining how to make use of those. However I don't know if typical android ROMs ship with the necessary tooling.
Approximately, you'd just need to patch the logic where zygote changes the PID to also configure and switch to a network namespace.
I've looked into network namespaces a bit but from what I can tell you need to do a lot of manual routing and other weird stuff to actually make IPv6 addresses reachable through them.
In theory all you need to do is have zygote constrain the app further with a network namespaces, and run a CLAT daemon for legacy networks, but in practice I'm not sure if that approach works well with 200 apps that each need their IPs rotated regularly.
Plus, you'd need to reconfigure the sandbox when switching between WiFi/5G/ethernet. Not impossible to overcome, but not the weekend project I'd hoped it would be.
"UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.
As someone who works for a similar large org, it's just as likely that some low level programmer put it in without much thought, and then this got surfaces to higher up people who didn't know about it and told them to remove it immediately.
Hopefully not too late to make it into the lawsuit. Assholes.
I sure hope there's a lawsuit. Over the last ten years, I've gotten over $2,000 in lawsuit settlement checks from Meta, alone.
I have a savings account at one of my banks that I use just for these settlement checks. Sometimes they're just $5. Sometimes they're a lot more. I think the most I ever got was around $500.
It's a little bit here, and a little bit there, but at the rate it's going, in another five years, I'll be able to buy a car with privacy violation money.
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
And people on HN dismiss those who choose to browse with Javascript disabled.
There's a reason that the Javascript toggle is listed under the Security tab on Safari.
These companies have demonstrated repeatedly that fines are just the cost of doing business. Doesn't matter if you charge them $1 million or $1 billion. They have still made significantly more than that from the crime.
Yes, preventing the app from running in the background (entirely) would prevent it from listening on a port and collaborating with websites via this exploit.
As for the second part: no, logging out of the apps would not necessarily be enough. The apps can still link all the different web sessions together for surveillance purposes, whether or not they are also linked to an account within the app. Meta famously maintains "shadow profiles" of data not (yet) associated with a user of the service. Plus, the apps can trivially remember who was last logged in.
Unfortunately in modern web uMatrix is just incredibly annoying. Nearly every site breaks for various reasons and often allowing everything in uMatrix still doesn't fix the issue.
Card payments, especially with 3D secure that use iframes, are one of the biggest problems. This often leads to creating new order several times since allowing something + reloading loses the entire flow.
Captchas are also massive pain, probably because they can't fingerprint as well as normally?
Life after having disabled uMatrix completely has been better.
It just wants to make me bin my phone tbh. Thank God for RMS and Linus that at least you can run GNU and Linux on a laptop as there is little left outside the panopticon.
There are over 300M companies in the world. It seems only 2 companies did this. So look at the revenue models of the other 299,999,998 companies. Meta only started this less than a year ago, so look at their revenue model prior to that.
Imagine a website not being a trojan horse, but directly serving non-targeted advertising to users at the same level as their content.
They could target it by tailoring it to content they're serving, just like I'd be ok with seeing an ad for a new car when I'm on a page reading about the properties of a given combustion engine.
Unauthorized access to a computer system. I'm sure if I connected to some port on a computer belonging to Meta without them wanting it, that would be the crime I would be charged with. But somehow if Meta connects to a port on my phone without me agreeing to it, it's not a crime?
And with all that tracking and spying on me, plus a boatload of voluntarily submitted data, and Facebook still can't/won't show me any relevant advertising. I mean, even from the corpo point of view. Whenever I open my feed to read something, I see a boatload of complete garbage ads. Like, they are neither enticing to me nor they are promoting something corpos may want to shove in my fae so I would remember, like some Coca-Cola or whatever product. But no, they have nothing.
I've just opened my feed in FB and let's see what ads will be today:
Group Dull Men's Club - some garbage meme dump, neither interesting nor selling any product or service.
Women emigrant group - I'm a male and in different location.
Rundown - some NN generated slop about NN industry
Car crash meme group from a different location.
Math picture meme group
LOTR meme group
Photo group with a theme I'm not interested
Repeat of the above
Another meme group
Roland-Garros page - I've never watched tennis or wrote about it. My profile has follows of a different sport pages altogether. None of those rise in the ads.
Another fact/meme group
Repeat
Repeat
Another fact/meme group
Expat group from incorrect location
And so on it goes. Like, who pays for all this junk? Who coordinates targeting? Why do they waste both their and mine capacity for something that useless both for me and Facebook? I would understood if FB had ads of products/services, or something that loosely follows by likes. But what they have is a total 100% miss. It's mindboggling.
I guess the meme group ads are to draw you in, once you follow them they get to push you actual ads and it costs them less because Facebook doesn't charge them, thinking you want to see the group's posts. It must work to some extent.
I'm incredibly glad this isn't occurring in the UK + EU, because GDPR and the huge fines levied against Meta in the past have scared them sufficiently into not doing this kind of behaviour.
I wonder if companies like Wetter Online (from whom we know that they're selling the location data to brokers [0]) or ad service providers which offer libraries do the same.
If it were so, Google should be knowingly be allowing this to happen and be a co-conspirator. I mean, they surveil our devices as if it were their home. Impossible that they're not aware.
All Meta software is spyware. Whether it's an app or a website, they are only in existence for you to be pacified to spend as much time on them as possible so they can hoover up your data. If those apps/websites provide you with anything useful, it is just as a ruse to get more data from you.
To me it's weird that they're willing to misuse browser APIs so blatantly for interprocess communication, when, as I understand it, server-side correlation using a combination of IP, battery level and screen dimensions probably already gets them 95% of the surveillance capability.
Ah yes, and every small Android dev is banned from Play and Admob for tiny unknown reasons, with no recourse or way to communicate with Google. But Meta here probably won't get any problems at all. They should be temporarily banned!
Another similar tracking vector that lets any app detect all installed apps by using android.intent.action.MAIN Query: https://news.ycombinator.com/item?id=43518866 , 482 comments)
Zero. People who work on ad-tech build ad-tech all day long, that's the entire job.
Seriously, why do you think all of the unquestionable things humanity has built have been built? It's because it's all just part of the job, for somebody.
People working at ad-tech question the things they're building just like the people at McDonalds flipping a burger are questioning the cholesterol levels of their customers. They're not.
I mean, it is kind of a cool work around. There's a lot of motivation in telling someone they can't do something where "hide and watch" is a pretty typical response. The creative thinking that comes up with ideas like this is not something to discourage. It is a shame that the effort is for such a shit purpose, but these "people" are not stupid, and not many other areas offer these kind of challenges.
In the early days of the information revolution, when computers were new and being nerdy was still seen (almost universally) as a bad thing, a very high proportion of computer enthusiasts were people already on the fringes of society, for one reason or another. For a large number of them, hacking was a way to express their preexisting antiestablishment tendencies. For a lot of them, they were also your basic angsty adolescents and young adults rebelling against The Man as soon as they found any way to do so.
As time went on, computers became more mainstream, and lots more people started using them as part of daily life. This didn't mean that the number of antiestablishment computer users or hackers went down—just that they were no longer nearly so high a percentage of the total number of computer users.
So the answer to "what happened to all the hackers fighting for personal freedom and privacy?" is kinda threefold:
1) They never went away. They're still here, at places like the EFF, fighting for our personal freedom and privacy. They're just much less noticeable in a world where everyone uses computers...and where many more of the prominent institutions actually know how to secure their networks.
2) They grew up. Captain Crunch, the famous phreaker, is 82 this year. Steve Wozniak is 74. And while, sure, some people reach that age and still maintain not merely a philosophy, but a practice, of activism, it's much harder to keep up, and even many of those whose principles do not change will shift to methods that stay more within the system (eg, supporting privacy legislation, or even running for office themselves).
3) They went to jail, were "scared straight", or died. The most prominent example of this group is, of course, Aaron Swartz, but many hacktivists will have had run-ins with the law, and of those many of them will have turned their back on the lifestyle to save themselves (even Captain Crunch was arrested and cooperated with the FBI).
Thanks for your thoughts! How can we create more hackers? I think the fear of punishment has really put a damper on things but not sure how that can be avoided.
Eh. You can have a very comfortable career doing work that still lets you look at yourself in the mirror. You don’t have to choose to burn the world to pay the rent.
Also: Meta pauses mobile port tracking tech on Android after researchers cry foul - https://news.ycombinator.com/item?id=44175940 - June 2025 (26 comments)
This is the overall process used by Meta as I understand it, taken from https://localmess.github.io/:
1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
> something-embarassing.com,
Depending on the country that you or your family lives in, this could be far worse than embarrassment.
[flagged]
So main application for WebRTC is de-anonymisation of users (for example getting their local IP address). Why it is not hidden behind permission I don't understand.
The main application for WebRTC is peer to peer data transfer.
I think you can make the argument that it should be behind a permission prompt these days but it's difficult. What would the permission prompt actually say, in easy to understand layman's terms? "This web site would like to transfer data from your computer to another computer in a way that could potentially identify you"? How many users are going to be able to make an informed choice after reading that?
41 replies →
The existing killer app for WebRTC is video chat without installing an app, which is huge.
Other P2P uses are very cool and interesting as well - abusing it for fingerprinting is just that, abusing a user-positive feature and twisting it for identification, just like a million other browser features.
2 replies →
Because the decision makers don't care about privacy, they only want you to think that you have privacy, thus enabling even more spying. One solution is to not use the apps and websites from companies that are known to abuse WebRTC or something else.
This is not unique to WebRTC. The same result could be achieved by sending a http request to localhost. The only difference in this case is that using WebRTC doesn't log a http request
3 replies →
> 1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
I happened to be immune, I disabled Background App Refresh in iOS settings. All app notifications still work, except WhatsApp :(
https://forums.macrumors.com/threads/any-reason-to-use-backg...
> except whatsapp
> company checks out
> User logged into FB or IG app. The app runs in background
So a takeaway is to avoid having Facebook or Instagram apps on your phone. I'm happy to continue to not have them.
Any others? e.g. WhatsApp. Sadly, I find this one a necessary communication tool for family and business in certain countries.
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
Yes? The cookie in question is First Party, which means you’ve consented to permitting only that party to track you using it, and not permitting its use for wider behavioral tracking across websites.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
2 replies →
IANAL, but it's not GDPR-conformant consent in any way. Consent needs to be informed, unambiguous, and freely given to be valid and should be easy to reject. The only way for this to be valid would be a consent form with something like:
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
1 reply →
Which, on the face of it, sounds like a violation of the GDPR...
1 reply →
>abusing mandated GDPR cookie notices to secretly track people?
How does that even work? What can GDPR cookie notices can do that the typical tracker can't do?
1 reply →
A reminder that it's possible to use tools like XPL-EX to circumvent those attempts. Also ad blocking via adaway would do the trick here I assume, as it should block Meta Pixel tracking. Overall, awful approach.
I wish we could just ban advertising and tracking on the internet. I feel like so much crap these days has come out of it, all so that CEOs can afford an extra yacht
It's already enough to just have plain ads. Like we have them on the streets, at the bus station, newspapers, etc. No tracking needed at all, just give out the message. If you need to target people to it in the context of the place or content you are showing it with. But you don't need to know anything about the user seeing the ad. Targeting by user doesn't work anyway.
> Targeting by user doesn't work anyway.
How did you reach this conclusion? The main problem is that it works way better than traditional marketing medium.
It's the reason Google and Facebook are so massive, why would publishers choose to pay them if it doesn't work?
4 replies →
Depending on the data you collect, targeting by user - unfortunately - works. If the granularity is not one user, it will be a hundred. If not, a thousand, and so on. I've seen apps run ads targeting a total of 5 cohorts(together holding a hundred million users), and I've seen companies run ads targeting 100s of cohorts with the same number of users. They all work better than no targeting at all.
However what you're saying isn't completely wrong. I've also seen user targeting become a self-fulfilling prophecy. What happens is that it's championed by a high level executive as the panacea for improving revenue, implemented, and seen to not work. Now, as we all now, the C*O is Always Correct, so everything else around it is modified until the user-level targeting A/B test shows positive results. Usually this ends up in the product being tortured into an unusable mess.
2 replies →
I don't think it has to go that far. I think there's a middle ground here that people would accept: show us ads, but make it a one-way firehose, like TV and billboards. If you need to advertise to pay for the site, put up all the banners you want. But don't try to single me out for a specific one.
If it could pay for network TV there's no reason it can't pay for a website.
(You could still do audience-level tracking, e.g. "Facbebook and NCIS are both for old people, so advertise cruises and geriatric health services on those properties")
The problem is their greed is unlimited and their power/influence and purchasing power is relative to all of the other billionaires corrupting government and making every little facet of life of ordinary people more expensive, miserable, transactional, and punitive.
Reddit has fairly extensive device fingerprinting. And they are selling data for training AI models. It's only a matter of time before there is some premium phone app that monetizes data that otherwise isn't available/for sale.
This type of thing is pure greed, completely distinct from a highly aggressive pursuit of far more lucrative opportunities that average businessmen have been able to accomplish in the extreme interest of their shareholders.
Those true leaders are the traditional examples who have shown success over the centuries, without letting any greed whatsoever become a dominant force, recognizing and moving in the opposite direction from those driven by overblown self-interest, who naturally have little else to offer. It can be really disgraceful these days but people don't seem to care any more.
That's one thing that made them average businessmen though.
Now if you're below-average I understand, but most companies' shareholders would be better off with a non-greedy CEO, who outperforms by steering away from underhanded low-class behavior instead.
Now if greed is the only thing on the table, and somebody like a CEO or decision-making executive hammers away using his only little tool with admirable perseverance long enough, it does seem to have a likelihood of bringing in money that would not have otherwise come in.
This can be leveraged too, by sometimes even greedier forces.
All you can do is laugh, those shareholders might be satisfied, but just imagine what an average person could do with that kind of resources. It would put the greedy cretins to shame on their own terms.
And if you could find an honest above-average CEO, woo hoo !
The majority of internet users are either unwilling or unable to pay for content, and so far advertising has been the best business model to allow these users to access content without paying. Do you have a better suggestion?
They are able, because in the end advertising is also paid by customers. The complications are:
- Paying for services is very visible, whereas the payment for advertising is so indirect that you do not feel like you are paying for it.
- The payments for advertising are not uniformly distributed, people with more disposable income most likely pay more of overall advertising. But subscriptions cannot make distinctions between income.
- People with disposable income are typically the most willing to pay for services. However, they are also the most interesting to advertisers. For this reason, payment in place of ads is often not an option at all, because it is not attractive to websites/services.
I think banning advertising would be good. But I think a first step towards that would be completely banning tracking. That would make advertisements less effective (and consequently less valuable) and would pose services to look for other streams of income. Plus it would solve the privacy issue of advertising.
1 reply →
Internet users pay for their services by everything they buy being more expensive due to the producers having to cover the advertising expenses.
>The majority of internet users are either unwilling or unable to pay for content
Except for Spotify, News subscriptions, videogame subscriptions, video streaming services, duolingo, donations, gofundmes, piracy services!, clothing and food subscriptions! etc etc
People pay $10 for a new fortnite skin. You really pretending they won't pay for content?
People were willing to pay for stuff on the internet even when you could only do so by calling someone up and reading off your credit card number and just trusting a stranger.
Meanwhile, the norm until cable television for "free" things like news was that you either paid, or you went to the library to read it for free.
Maybe people could visit libraries more again.
Sure, this entire business model has been cataclysmic for traditional media organizations and news outlets and peoples trust in institutions has plummeted in correlation, so, let’s just fucking scrap it and go back to payed media.
3 replies →
I think that might be a rhetorical device bequeathed to you by the social media companies.
People of course do pay for things all the time. It’s just the social media folks found a way to make a lot more money than people would otherwise pay, through advertising. And in this situation, through illegal advertising.
The best thing we can all do is refuse to work for Meta. If good engineers did that, there would be no Meta. Problem solved. But it seems many engineers prefer it this way.
I don't pay for network TV but it still gets produced
4 replies →
The question is how do you ban it, and then how do you prove that people are breaking those rules?
By defining the $thing, banning the $thing per definition by law, and then tasking FBI-like organization enforce the law? It won't completely go away but it will subside, like how gambling on Internet is divided binary and confined into lootbox games without cashing features and straight up scam underground casinos.
Personally I think we should start from separating good old ads(that existed before I was 15) and Internet "ads". The old ads were still somewhat heavily targeted, but less than it is now. There probably would be an agreeable line up to which level advertisement efforts can be perverted.
3 replies →
I think the main problem is lots of money are made from it, and money influences politics hugely. The technical difficulties are low on the list of reasons this is not happening.
https://news.ycombinator.com/item?id=43595269
1 reply →
I know. It's wishful thinking that will never become a reality. I pray for a solarpunk future in the same way
It's impossible and we all know it. Instead, donate or help with the huge adblock lists that are being maintained by a lot of people
A lot of things I would have previously said were impossible have happened in the last half year. If only a few of those things were of the impossibly good type.
As said in a reply to a sibling comment, I am very aware. This is wishful thinking
>all so that CEOs can afford an extra yacht
...and so consumers can use services/products without having to fork over money.
People love the ad-model. Given the option to pay or use the "ad-supported" option, the ad-supported one wins 10 to 1. This means in many cases it doesn't even make sense to have a paid option, because the ad option is just so much more popular.
As bad as crypto is, with all the negative things attached to it, BAT was probably one of the smartest things to be invented. A browser token that automatically dispenses micropayments to websites you visit. Forget all the details to get snagged on, the basic premise is solid: Pay for what you use. You become the customer, not the advertisers.
Also a note about ad-blocking - it only makes the problem worse. It is not a "stick it to the man" protest. You protest things by boycotting them, or paying their competitors, not by using them without compensating them.
There is no such thing as a free lunch. Consumers on average are forking over the money. Otherwise no one would pay for advertising. And they are paying more than they would have otherwise since this dystopian tracking apparatus isn't free either.
Yes, we need ads for a free internet, today. And, as a result, we also have our privacy eroded - eroded in ways we may not care about today, but will probably regret tomorrow.
If we must pay for the internet, give me an option to pay to use it where I see no ads and my privacy is preserved. Let me know what that cost is and I'll decide what I want to do.
Right now, the actual pricing is obscured so we just "accept" that the internet in its current form is how it needs to be.
2 replies →
I really liked the concept of BAT but the reality left me wanting.
Things like "we'll hang on to the tokens of sites that don't use BAT yet for them until they join" gave negative vibes.
It all felt a little underbaked. I swing back to Brave once in a blue moon and then remember I've got at least $20's worth of BAT lost forever somewhere.
1 reply →
The deprecation of third-party cookies, that all browsers were at one point on track to implement, was pretty much the most realistic first step to that. Which is why Google killed it last year by leveraging their control over Chrome.
While not technically a crime, it was a disgusting, unethical market manipulation move that never really got the public outrage it deserved.
Google execs’ initial support for it was also telling: leadership at Google must literally thought they would find another way to stay as profitable as they are without third-party cookies. Put another way: Google leadership didn’t understand cookies as well as someone who’s taken a single undergrad web dev class. (Or they were lying all along, and always planned to “renege” on third-party cookie deprecation.)
I don't think that's quite what happened. Google got in anti-trust trouble because they have an unfair advantage in user-tracking, given logged in Chrome accounts. Removing third-party cookies hurts other privacy-invading companies without substantially affecting Google. It was still somewhat on track to be removed from Chrome until they lost their antitrust battle, and Chrome was required to be spun off. With Chrome's new future, and Google's new legal constraints, there's less incentive to try and make Privacy Sandbox work. At least, that was my understanding; I didn't follow it all that closely.
This is very misleading. Google was prevented from disabling third-party cookies due to intervention by the CMA, who felt it would provide an unfair advantage over other advertisers. Google argued their case for years, proposed competing standards to act as a replacement (see Topics API), and eventually gave up on the endeavour altogether and simply made it a user toggle.
4 replies →
Insidiously calling it "Privacy sandbox", and now setting everything opt-in every time I login to Chrome is really not Googly.
Most commenters on Hacker News hated Google’s plan and hoped it would fail. Were they wrong?
It seems like damned-if-you-do, damned-if-you-don’t.
2 replies →
Actual report: https://localmess.github.io/
>Google says it's investigating the abuse
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
if it were a small company, it'd have been dilisted from google's play store in an instant.
The EU should set some record breaking fines for this.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
There should also be fines, but individuals have gone to jail for less.
I agree they should. But I don't think the EU has any real ability to send American tech execs to jail. At most they can stop them doing business in the EU.
1 reply →
Meta makes $70 billion net per year, after fines.
Another reason not to install big tech's apps and only use their websites if you must.
Not only our their websites painful which discourages use, websites are more sandboxed.
I am not sure which Meta apps open ports, but e.g. Samsung phones come with a bunch of Meta apps pre-shipped. IIRC just removing the Facebook app is is not enough, there is another service installed that is not visible as an app (com.facebook.services etc.), which you can only uninstall from the data partition with something like ADB/UAD.
Or buy an iPhone or a Pixel.
I remember a few years ago analyzing a modern Samsung phone's web traffic. It had by far the most ad-related and monetizing connections out of any other phone I've ever seen. And they were part of "necessary" functions, so you couldn't just block that traffic.
Samsung has great tech, but I avoid because it's so bloated and abusive.
3 replies →
The Pixel "Private Space" feature should prevent Meta apps from running in the background. It also prevents you from getting notifications.
1 reply →
I tend to buy stock Android, e.g. Motorola moto g30, etc. It still has lots of Google stuff, but you can get rid of them, and I have a work profile specifically designed for Google-related stuff, and my personal profile is de-Googled as much as possible.
3 replies →
Article did mention Facebook and Instagram at some versions.
Samsung devices are loaded with malware and AI slop in general. I'd avoid them if you at all care about privacy. Since Google is still missing end to end encryption for cloud data, iOS seems like the only good choice currently.
2 replies →
> Not only our their websites painful which discourages use, websites are more sandboxed.
This isn't remotely true. It is pretty trivial for a well-resourced engineering organization to generate unique fingerprints of users with common browser features.
Wouldn't native apps be even worse in that regard, most of the time?
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
People have been prosecuted under that act for clicking "view source" on their web browser. The crime itself is irrelevant. It's more about who you are/what connections you have/who you piss off.
Has there actually been a conviction purely for "viewing source"?
1 reply →
exactly, the more interesting question: would anyone be willing to prosecute a Meta executive over this? Sadly, I expect no.
This only works if you control the code on both sides (ie. on the website being visited and an app running on the phone). It's not some sort of magic hack that allows you to exfiltrate arbitrary browser history. Therefore it's unclear how it can be construed as "hacking" in any meaningful way. As bad non-consensual tracking done by google/meta/whatever are, it's not covered under CFAA.
I agree it's not hacking, but the Computer Fraud and Abuse act seems to have a pretty broad definition of computer fraud and abuse. In particular, the technique seems like it might (emphasis mine) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …". Would the other person have a reasonable belief that they didn't authorize access to information which their OS attempts to prevent access to?
I'm not a lawyer, so my question is genuine.
The yandex one uses client/browser-side code to exfiltrate; it’s within the realm of possibility to abuse this, given a user visits a site under your control.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.
I don't know, you're purposefully abusing oversights to completely bypass the sandbox. It's an exploit for sure in my mind, and it seems very intentionally done. Like, it was done this way specifically because it allows them to circumvent other protections they know existed.
Yes
So, could some other app send data to these ports with a fake message? I'm asking for a friend that likes to do things for science.
Two ways to f#ck with these trackers - either send them nothing back, or flood them with lots of fake data.
Somebody also needs to come up with a way to peer to peer share advertiser tracking cookies.
Can this cross profiles? That would be a big security issue for corps.
Quick test and if I serve on 8080 on the Userland app it can be accessed from both profiles. So probably yes.
This means an infected app on your personal profile could exchange data with a site visited from a second profile.
Only if that site specifically communicates with an (unauthenticated) service bound to a local port though, right?
Which, per the OP, the site would be doing by merely including the Meta pixel, which practically every e-commerce and news site does to track its campaigns and organic traffic.
The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.
6 replies →
All apps + the web browser being able to communicate freely over a shared localhost interface is such a glaring security hole that I'm surprised both iOS and Android allow it. What even is a legitimate use case for an app starting a local web server?
> What even is a legitimate use case for an app starting a local web server?
There are apps on iOS that act as shared drives that you can attach via WebDAV. This requires listening on a port for inbound WebDAV (HTTP) requests.
They don't need to listen on localhost though.
Which begs the question why is this specific to Android? Why would Meta/Yandex not be doing this on iOS, or why did this study not report on iOS?
Doesn't iOS prompt you to give apps permission to connect to your local network? "App would like to find and connect to devices on your local network" or something along those lines. I always hit the "no thanks" button.
2 replies →
I expose a LAN accessible status board from an app via HTTP. The app runs completely offline, thus I can't rely on something hosted on the public internet.
My last electron app did effectively the same thing. I took the hosted version of my app and bundled in electron for offline usage with the bundled app being just a normal web application started by electron.
A long time ago I used it to work around an iOS limitation that prevented apps from simultaneously streaming audio and caching it. You could give the media player a URL for a remote stream, but you couldn’t read the same stream. The alternative was to get the stream yourself and implement your own media player. I didn’t want to write my own media player, so I requested the stream myself in order to cache it, plus fed it back to the OS media player via localhost http. Total hack, but it worked great. I wonder if they ever took that code out. It’s got hundreds of millions of installs at this point.
Does the Yandex HTTPS one mean they're shipping the private key for their cert in the app, therefore anything running on localhost (or on a network with poisoned DNS) can spoof the yandexmetrica site?
There is a cert for it in the logs: https://crt.sh/?q=yandexmetrica.com
Yup definitely. Edit: the diagram makes it perfectly clear https://yandexmetrica.com:30103/p?...
It even looks like some of the certs were issued by Yandex to Yandex. I guess their cert division will end up writing an incident report for this.
Yes, but presumably they aren't hosting anything on yandexmetrica.com, so any attackeright as wel register yandexmetrica.net and get an ssl cert for that.
These sites both have the same potential for abuse.
A comment I wrote in another HN thread [0] covering this issue:
Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.
There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.
Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].
I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.
That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.
0: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
There is a specification for blocking this:
https://wicg.github.io/private-network-access/
It gained support from WebKit:
https://github.com/WebKit/standards-positions/issues/163
…and Mozilla:
https://github.com/mozilla/standards-positions/issues/143
…and it was trialled in Blink:
https://developer.chrome.com/blog/private-network-access-upd...
Unfortunately, it’s now on hold due to compatibility problems:
https://developer.chrome.com/blog/pna-on-hold
Yep! Unfortunately its main method (as far as I remember from when I first read the proposal at least, it may do more) is adding preflight requests and headers to opt-in, which works for most cases yet doesn't block behind-the-lines collaborating apps like mentioned in the main article. If there's a listening app (like Meta was caught doing) that's expecting the requests, this doesn't do much to protect you.
EDIT: Looks like it does mention integrating into the permissions system [0], I guess I missed that. Glad they covered that consideration, then!
0: https://wicg.github.io/private-network-access/#integration-p...
Both Firefox [0] and Chrome [1] are working on successors which rely on permissions prompts instead of preflight requests.
[0] https://groups.google.com/a/mozilla.org/g/dev-platform/c/B8o...
[1] https://groups.google.com/a/chromium.org/g/blink-dev/c/CDy8L...
1 reply →
> There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472)
I would not consider this a legitimate use. Websites have no business knowing what apps you have installed.
I agree, yet at least you can kind of see where they're coming from.
I guess a better example would be the automatic hardware detection Lenovo Support offers [0] by pinging a local app (with some clear confirmation dialogs first). Asus seems to do the same thing.
uBlock Origin has a fair few explicit exceptions made [1] for cases like those (and other reasons) in their filter list to avoid breakages (notably Intel domains, the official Judiciary of Germany [2] (???), `figma.com`, `foldingathome.org`, etc).
0: https://pcsupport.lenovo.com/
1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
2: https://github.com/uBlockOrigin/uAssets/issues/23388 and https://www.bundesjustizamt.de/EN/Home/Home_node.html (they're trying to talk to a local identity verification app seems like, yet I find it quite funny)
1 reply →
Zoom got busted for something similar five years ago now: https://www.zdnet.com/article/zoom-defends-use-of-local-web-...
IMO browsers should not just block the request but block the whole website with one of those scary giant red banners if something like this is attempted. If all websites get for trying to work around privacy protections is that their attempts might not succeed then there is little incentive not to try.
Your DNS server not resolving to localhost may also serve as an additional line of defense.
What does this have to do with the issue here? A website can just connect to 127.0.0.1 , no DNS needed.
I think what you are thinking of are dns rebinding attacks.
webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost. the fact that a browser sandbox still leaks this info is wild. like, you’re telling me port 43800 says more about me than a cookie ever could? and of course, this all runs under the radar—no prompt, no opt-in, just “oh hey, we’re just scanning your machine real quick.” insane. might as well call it metascan™.
kinda makes me nostalgic for simpler times—when tracking meant throwing 200 trackers into a <script> tag and hoping one stuck. now it’s full-on black ops.
i swear, i’m two updates away from running every browser in a docker container inside a faraday cage.
Well, primarily it's the other apps that are saying a lot about you. I think this story emphasises yet again that websites are better for your privacy than apps. (Especially in a browser that has e.g. uBlock Origin, such as Firefox for Android.)
The person working on Arcan runs the browser on a separate machine via Remote Desktop with it set to wipe and re-image itself between sessions.
crazy
1 reply →
> webrtc was supposed to be for real-time comms, not fingerprinting people based on what random apps they have running on localhost
Native Apps are doing that, not webrtc. Just prove the web is safer and all that BS about native apps being better is, well, BS.
I built a little lan tool https://router.fyi that tries to get LAN data for a sort of online-nmap. depending on your browser, it's sometimes capable of finding wifi printers and a couple other smart home devices i've manually added.
Firefox about:config toggle media.peerconnection.enabled from true to false
Further, Netguard plus Nebulo in non-VPN mode can stop unwanted connections to Meta servers
Does about:config work on Firefox Android?
It works on Fennec from F-Droid.
What are some reasons to use Firefox Android instead of Firefox Nightly. The later is availlable from Aurora Store.
IME, Nightly has better add-on support. For example, uMatrix works.
Of course the ID was easy to abuse, and I assume Google knew this, and also knew they'd need to have rules against abuse... and that they'd need to back up the rules with penalties, like Play Store permaban, legal action for damages, and maybe even referral for criminal investigation (CFAA violation?).
Unfortunately, even if they did have such rules, in this case, Meta is a too-big-to-deplatform tech company.
(Also, even if it wasn't Meta, sketchy behavior of tech might have the secret endorsement of IC and/or LE. So, making the sketchiness stop could be difficult, and also difficult to talk about.)
Google and Apple are owning their whole operating systems. They can do tracking directly in 50 different ways. Other corporations routinely renegotiate deals on sharing the user surveillance data with them, for big big money. So it all has already been paid for, and authorised. The only problem is that some stupid serfs are still making a fuss over it.
Why don't all browsers, desktop and mobile, just block all cross-origin access to localhost?
For one I think it would break all those "update your BIOS via your motherboard website" apps that probably shouldn't exist anyways.
There probably are some legitimate uses, but I'm straining to come up with them.
Maybe just ask for confirmation
There's effort to define standard behavior here. See https://wicg.github.io/private-network-access/ (although I suspect this document may make a significant shift soon)
I thought they did for resources and JS, which is why Meta have to use WebRTC instead?
I think the Yandex one slips through because CORS does a naive check against just what's in the header, not what it resolves to?
I'm surprised browsers don't isolate each of the localhost/localnet/internet networks from each other. Are there any use-cases for allowing this?
If I recall correctly Figma uses it to connect to the locally installed app, and Discord definitely uses it to check if its desktop app is installed by scanning ports (6463-6472).
I'm aware of two blockers for LAN intrusions from public internet domains, uBlock Origin has a filter list called "Block Outsider Intrusion into LAN" [0] under the "Privacy" filters, and there's a cool Firefox extension called Port Authority [1][2] that does pretty much the same thing yet more specifically targeted and without the exclusions allowed by the uBlock filterlist (stuff like Figma's use is allowed through, as you can see in [0]). I've contributed some to Port Authority, too :)
0: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
1: https://addons.mozilla.org/firefox/addon/port-authority
2: https://github.com/ACK-J/Port_Authority
There are surely other ways to achieve this. If you are logged into an app and the site at tbe same time they can use the server to communicate. Discord doesn't need to know if the app is installed to work. That sounds sketchy.
1 reply →
The native messaging feature is a much better way to talk to native apps, that should be used instead for modern browsers.
I love how the engineers and product managers who implemented this are not held responsible in any meaningful way.
A commenter mentioned [1] that major Russian apps now all ask for permission to read a unique device ID to deanonymize users. The people that stopped Intel from adding such an ID to their CPUs had perfect foresight [2] (too bad later Intel added it anyway). But then it's not hard to guess that if you include a feature whose purpose is to attack the user, it will be used to attack the user.
[1] https://arstechnica.com/security/2025/06/meta-and-yandex-are...
[2] https://en.wikipedia.org/wiki/Pentium_III#Controversy_about_...
>A commenter mentioned [1] that major Russian apps now all ask for permission to read a unique device ID to deanonymize users.
To be fair it's not really limited to Russian apps. Many popular apps on play store have it as well:
https://play.google.com/store/apps/details?id=org.telegram.m...
https://play.google.com/store/apps/details?id=com.microsoft....
https://play.google.com/store/apps/details?id=com.pinterest&...
No doubt, whatever "vulnerability" is found, you have already to agreed to it in some buried TOS.
Not surprising, it's legal, but only if you are a multi-billion dollars company.
Love the url slug: headline-to-come. It now redirects to a more boring one though.
Probably hard to do for many but the solution seems be not to have their apps installed. It’s crazy to me that people tolerate FB et al on their devices where you have absolutely no control over what they’re doing.
I agree wrt Facebook, but there’s a long tail of useful apps-that-should-be-websites; 1 click for an app versus 45 seconds searching through tabs and re-logging in (etc) can be meaningful, especially when there are fifty of them.
My healthcare provider recently yanked the mobile version of their portal website, and forces users to download their app. Personally, I see the security angle, but still feel like it’s a punch in the face and so I just went back to paper billing and using a PC for healthcare stuff. More of this is coming, I suspect.
Yup. When I deleted the FB, X, and Reddit apps both my productivity and my phone's battery life skyrocketed.
I assume that's why those companies try to actively degrade the experience on the website.
Reddit has fairly intense device fingerprinting. And they sell data for AI training.
We changed the URL from https://arstechnica.com/security/2025/06/meta-and-yandex-are... which is a report about this disclosure.
I'm using RethinkDNS as a combined firewall and wireguard VPN. I added these two block rules:
127.0.0.0/8
::1/128
I'll update here with any issues.
If you work for meta, you're on the baddies team.
(Other bad guys are around too)
Is there a similar thing on iOS? I always wonder when a random app asks to “find devices on my network”
Possible, but potentially not as practical due to the iOS’ restrictive background process model. There, background tasks are generally expected to quickly do whatever it is they need to and exit and generally can’t run indefinitely. Periodic tasks are scheduled by the OS, with scheduling requests from apps being more likely to be honored if their processes are well-behaved (quick, low resource, don’t crash, and don’t run too frequently) with badly-behaved processes getting run less often.
Apps that keep themselves open by reporting that they’re playing audio might be able to work around this, but it’d still be spotty since users frequently play media which would suspended those backgrounded apps and eventually bump them out of memory.
This is answered on the page.
It’s probably easier to buy that data directly from Apple.
Google’s core business is built on tracking data, so they would be reluctant to sell, necessitating covert collection.
Can you link the page where you can buy that data?
> That said, similar data sharing between iOS browsers and native apps is technically possible.
Does that work across profiles? I have to use some apps from such spyware oriented companies and usually put them in isolated profile with shelter.
I wonder whether local ports opened in isolated "work" android profile are accessible by main profile.
A quite obvious attack mechanism, I'm surprised browsers permitted this in the first place. I can't think of a reason to STUN/TURN to localhost. Aside from localhost, trackers can also use all other IP addresses available to the browser to bind their apps/send traffic to.
Now that the mechanism is known (and widely implemented), one could write an app to notify users about attempted tracking. All you need to do is to open the listed UDP ports and send a notification when UDP traffic comes in.
For shit and giggles I was pondering if it was possible to modify Android to hand out a different, temporary IPv6 address to every app and segment off any other interface that might be exposed just because of shit like this (and use CLAT or some fallback mechanism for IPv4 connectivity). I thought this stuff was just a theoretical problem because it would be silly to be so blatant about tracking, but Facebook proves me wrong once again.
I hope EU regulators take note and start fining the websites that load these trackers without consent, but I suspect they won't have the capacity to do it.
> modify Android to hand out a different, temporary IPv6 address to every app
AFAIK this is on the Android roadmap and one of the key reasons they don't want to support DHCPv6. They want each app to have their own IP.
> hand out a different, temporary IPv6 address to every app and segment off any other interface that might be expose
Yes, but (AFAIK) not out of the box (unless one of the security focused ROMs already supports this). The kernel supports network namespaces and there's plenty of documentation available explaining how to make use of those. However I don't know if typical android ROMs ship with the necessary tooling.
Approximately, you'd just need to patch the logic where zygote changes the PID to also configure and switch to a network namespace.
I've looked into network namespaces a bit but from what I can tell you need to do a lot of manual routing and other weird stuff to actually make IPv6 addresses reachable through them.
In theory all you need to do is have zygote constrain the app further with a network namespaces, and run a CLAT daemon for legacy networks, but in practice I'm not sure if that approach works well with 200 apps that each need their IPs rotated regularly.
Plus, you'd need to reconfigure the sandbox when switching between WiFi/5G/ethernet. Not impossible to overcome, but not the weekend project I'd hoped it would be.
1 reply →
"UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.
Nothing quite like an instant panicked coverup to confirm guilt and intent.
Hopefully not too late to make it into the lawsuit. Assholes.
As someone who works for a similar large org, it's just as likely that some low level programmer put it in without much thought, and then this got surfaces to higher up people who didn't know about it and told them to remove it immediately.
4 replies →
Hopefully not too late to make it into the lawsuit. Assholes.
I sure hope there's a lawsuit. Over the last ten years, I've gotten over $2,000 in lawsuit settlement checks from Meta, alone.
I have a savings account at one of my banks that I use just for these settlement checks. Sometimes they're just $5. Sometimes they're a lot more. I think the most I ever got was around $500.
It's a little bit here, and a little bit there, but at the rate it's going, in another five years, I'll be able to buy a car with privacy violation money.
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
And people on HN dismiss those who choose to browse with Javascript disabled.
There's a reason that the Javascript toggle is listed under the Security tab on Safari.
Worse, people on HN celebrate when websites add anti-bot protection that prevent you from accessing the website without JS.
These companies have demonstrated repeatedly that fines are just the cost of doing business. Doesn't matter if you charge them $1 million or $1 billion. They have still made significantly more than that from the crime.
The sum absolutely does matter. All you’re saying is the fines are too low
That's.. quite the contradictory sentence.
That's why fines should scale up geometrically with repeat offenses.
Simple question: would disabling apps from running in the background prevent this? Or, more simply, not staying logged into an app on your phone?
Yes, preventing the app from running in the background (entirely) would prevent it from listening on a port and collaborating with websites via this exploit.
As for the second part: no, logging out of the apps would not necessarily be enough. The apps can still link all the different web sessions together for surveillance purposes, whether or not they are also linked to an account within the app. Meta famously maintains "shadow profiles" of data not (yet) associated with a user of the service. Plus, the apps can trivially remember who was last logged in.
This just reinforced the use of uMatrix. Governments should mandate browser vendors to implement any standards gorhill might come up with.
Unfortunately in modern web uMatrix is just incredibly annoying. Nearly every site breaks for various reasons and often allowing everything in uMatrix still doesn't fix the issue.
Card payments, especially with 3D secure that use iframes, are one of the biggest problems. This often leads to creating new order several times since allowing something + reloading loses the entire flow.
Captchas are also massive pain, probably because they can't fingerprint as well as normally?
Life after having disabled uMatrix completely has been better.
If only uMatrix was still developed/supported.
It still works very well. I'm using it on both Linux and Android. The UI is far better than its replacement inside uBO.
2 replies →
Sounds like loading from the domains serving the meta pixel should be blockable in the first place.
Sounds like blocking these tracking scripts using uBlockOrigin probably prevents this. Another reason to use uBlockOrigin.
Crap like this is why I haven't had the Facebook or Instagram apps installed for years. I still have accounts, but I only visit them via the browser.
It just wants to make me bin my phone tbh. Thank God for RMS and Linus that at least you can run GNU and Linux on a laptop as there is little left outside the panopticon.
I am not going to register with FB because they now require a 3D face scan to use it.
[flagged]
There are over 300M companies in the world. It seems only 2 companies did this. So look at the revenue models of the other 299,999,998 companies. Meta only started this less than a year ago, so look at their revenue model prior to that.
2 replies →
That’s their problem, not mine. I don’t need Facebook’s or Yandex’s continued existence to enjoy life.
It’s not our responsibility to do so. A company doesn’t have some inherent right to exist such that we must accept unethical behavior.
If unethical behavior is more lucrative than ethical, it will always be tempting. But that doesn't make it ethical.
I heard they arrested a serial bank-robber and he said this in court when they asked him why he did it.
Imagine a website not being a trojan horse, but directly serving non-targeted advertising to users at the same level as their content.
They could target it by tailoring it to content they're serving, just like I'd be ok with seeing an ad for a new car when I'm on a page reading about the properties of a given combustion engine.
1 reply →
Doing something like this should result in Meta and such being legally annihilated. But nothing will happen, as usual.
What's the crime?
Tracking users without their consent. This is a crime in the EU. It’s a crime that it’s not a crime in the US.
Unauthorized access to a computer system. I'm sure if I connected to some port on a computer belonging to Meta without them wanting it, that would be the crime I would be charged with. But somehow if Meta connects to a port on my phone without me agreeing to it, it's not a crime?
4 replies →
Spying on users, connecting their real life identities to their browsing history without their consent or knowledge?
stalking? Maybe even something in the ECPA
And with all that tracking and spying on me, plus a boatload of voluntarily submitted data, and Facebook still can't/won't show me any relevant advertising. I mean, even from the corpo point of view. Whenever I open my feed to read something, I see a boatload of complete garbage ads. Like, they are neither enticing to me nor they are promoting something corpos may want to shove in my fae so I would remember, like some Coca-Cola or whatever product. But no, they have nothing.
I've just opened my feed in FB and let's see what ads will be today:
Group Dull Men's Club - some garbage meme dump, neither interesting nor selling any product or service.
Women emigrant group - I'm a male and in different location.
Rundown - some NN generated slop about NN industry
Car crash meme group from a different location.
Math picture meme group
LOTR meme group
Photo group with a theme I'm not interested
Repeat of the above
Another meme group
Roland-Garros page - I've never watched tennis or wrote about it. My profile has follows of a different sport pages altogether. None of those rise in the ads.
Another fact/meme group
Repeat
Repeat
Another fact/meme group
Expat group from incorrect location
And so on it goes. Like, who pays for all this junk? Who coordinates targeting? Why do they waste both their and mine capacity for something that useless both for me and Facebook? I would understood if FB had ads of products/services, or something that loosely follows by likes. But what they have is a total 100% miss. It's mindboggling.
I guess the meme group ads are to draw you in, once you follow them they get to push you actual ads and it costs them less because Facebook doesn't charge them, thinking you want to see the group's posts. It must work to some extent.
It actually bothers me it took so long to be discovered.
I'm incredibly glad this isn't occurring in the UK + EU, because GDPR and the huge fines levied against Meta in the past have scared them sufficiently into not doing this kind of behaviour.
I wonder if companies like Wetter Online (from whom we know that they're selling the location data to brokers [0]) or ad service providers which offer libraries do the same.
If it were so, Google should be knowingly be allowing this to happen and be a co-conspirator. I mean, they surveil our devices as if it were their home. Impossible that they're not aware.
[0] https://netzpolitik-org.translate.goog/2025/databroker-files...
If you are even mildly technical you NEED to have a Pihole + Tailscale setup on your home network and all devices. Block all this malware at the root.
Or change your DNS to use nextDns
So Meta apps are spyware. And Zuck agains has got his finger in his mouth and a cat on his lap.
All Meta software is spyware. Whether it's an app or a website, they are only in existence for you to be pacified to spend as much time on them as possible so they can hoover up your data. If those apps/websites provide you with anything useful, it is just as a ruse to get more data from you.
Facebook is stealing people's data? No way.
I hope a judge gives them a warning.
To me it's weird that they're willing to misuse browser APIs so blatantly for interprocess communication, when, as I understand it, server-side correlation using a combination of IP, battery level and screen dimensions probably already gets them 95% of the surveillance capability.
the invisible hand says they have to chase that last 5%, too
Why is this weird to you instead of being "of course they are" to you?
Ah yes, and every small Android dev is banned from Play and Admob for tiny unknown reasons, with no recourse or way to communicate with Google. But Meta here probably won't get any problems at all. They should be temporarily banned!
On many threads here regarding EU fines, I see the sentiment "The EU only fines US tech to make a quick buck!".
It could be an idea to, you know, stop doing these things. Would be great to see another few $billion fine for this one.
The us could fine US tech too.
I bet that most Americans would be ok with that, more privacy, more money for the state and less to the greedy bastards.
EU doesn’t have to be the cop of US technology, in fact it’s a bit pathetic to have another country policy your industry.
(R)ussia only punishes (R)ussian tech when it does not align with the party.
This is yet another reason for installing very few apps
The issue isn't the amount of apps but that they are from big tech store and closed source which for 99% of apps means they will spy for profit.
You can install all of f-droid.org apps and not a single one will do that.
The reason to install very few mobile apps is directly proportional to the effort companies exert to get you to do so.
And they push REALLY hard.
Another similar tracking vector that lets any app detect all installed apps by using android.intent.action.MAIN Query: https://news.ycombinator.com/item?id=43518866 , 482 comments)
Incredible that this was locked.
dang likely got told not to upset the benefactors
1 reply →
Can you imagine the mental hoops you’d need to jump through as a developer to persuade yourself that this is a valid thing to implement?
Zero. People who work on ad-tech build ad-tech all day long, that's the entire job.
Seriously, why do you think all of the unquestionable things humanity has built have been built? It's because it's all just part of the job, for somebody.
People working at ad-tech question the things they're building just like the people at McDonalds flipping a burger are questioning the cholesterol levels of their customers. They're not.
Not many? You've never met a developer with a god complex?
My experience is that most developers just do as they are told.
Another reason why AI is so fascinatingly horrible: it’ll never question the moral impact of what you’re trying to do.
1 reply →
Get paid - it's one hoop.
I mean, it is kind of a cool work around. There's a lot of motivation in telling someone they can't do something where "hide and watch" is a pretty typical response. The creative thinking that comes up with ideas like this is not something to discourage. It is a shame that the effort is for such a shit purpose, but these "people" are not stupid, and not many other areas offer these kind of challenges.
[dead]
> Meta and Yandex are de-anonymizing Android users' web browsing identifiers
Thank god that Microsoft and Google don't do this. Oh, wait... /s
What happened to all the hackers fighting for personal freedom and privacy? Meta paycheck too tasty?
We’re still fighting the fight. Turns out shifty assholes also figured out how to write code and get hired.
Thank you for your service!
In the early days of the information revolution, when computers were new and being nerdy was still seen (almost universally) as a bad thing, a very high proportion of computer enthusiasts were people already on the fringes of society, for one reason or another. For a large number of them, hacking was a way to express their preexisting antiestablishment tendencies. For a lot of them, they were also your basic angsty adolescents and young adults rebelling against The Man as soon as they found any way to do so.
As time went on, computers became more mainstream, and lots more people started using them as part of daily life. This didn't mean that the number of antiestablishment computer users or hackers went down—just that they were no longer nearly so high a percentage of the total number of computer users.
So the answer to "what happened to all the hackers fighting for personal freedom and privacy?" is kinda threefold:
1) They never went away. They're still here, at places like the EFF, fighting for our personal freedom and privacy. They're just much less noticeable in a world where everyone uses computers...and where many more of the prominent institutions actually know how to secure their networks.
2) They grew up. Captain Crunch, the famous phreaker, is 82 this year. Steve Wozniak is 74. And while, sure, some people reach that age and still maintain not merely a philosophy, but a practice, of activism, it's much harder to keep up, and even many of those whose principles do not change will shift to methods that stay more within the system (eg, supporting privacy legislation, or even running for office themselves).
3) They went to jail, were "scared straight", or died. The most prominent example of this group is, of course, Aaron Swartz, but many hacktivists will have had run-ins with the law, and of those many of them will have turned their back on the lifestyle to save themselves (even Captain Crunch was arrested and cooperated with the FBI).
Thanks for your thoughts! How can we create more hackers? I think the fear of punishment has really put a damper on things but not sure how that can be avoided.
2 replies →
Who do you think found the issue?
Touché
[flagged]
Don’t worry Ray, there’s still hope!
at some point yah reach a cross road. either sellout and join big brother or join the wandering homeless hordes on the streets.
Eh. You can have a very comfortable career doing work that still lets you look at yourself in the mirror. You don’t have to choose to burn the world to pay the rent.
3 replies →