Comment by qwertox
5 days ago
"UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.
Nothing quite like an instant panicked coverup to confirm guilt and intent.
Hopefully not too late to make it into the lawsuit. Assholes.
As someone who works for a similar large org, it's just as likely that some low level programmer put it in without much thought, and then this got surfaces to higher up people who didn't know about it and told them to remove it immediately.
It seems incredibly unlikely a low level programmer could come up with this method then get the necessary code into both the tracking pixel served to third party sites and Meta's android apps without some higher ups knowing about it.
2 replies →
You claim some low-level programmer created a feature that opens a new network connection between two separate applications?
Just some guy working at facebook was able to ship network code in not just one but two code-bases without any senior or higher engineers in the loop?
That's the claim? If that was true (it's not) it would be even worse than high level executives being involved.
Hopefully not too late to make it into the lawsuit. Assholes.
I sure hope there's a lawsuit. Over the last ten years, I've gotten over $2,000 in lawsuit settlement checks from Meta, alone.
I have a savings account at one of my banks that I use just for these settlement checks. Sometimes they're just $5. Sometimes they're a lot more. I think the most I ever got was around $500.
It's a little bit here, and a little bit there, but at the rate it's going, in another five years, I'll be able to buy a car with privacy violation money.
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
And people on HN dismiss those who choose to browse with Javascript disabled.
There's a reason that the Javascript toggle is listed under the Security tab on Safari.
Worse, people on HN celebrate when websites add anti-bot protection that prevent you from accessing the website without JS.
These companies have demonstrated repeatedly that fines are just the cost of doing business. Doesn't matter if you charge them $1 million or $1 billion. They have still made significantly more than that from the crime.
The sum absolutely does matter. All you’re saying is the fines are too low
That's.. quite the contradictory sentence.
That's why fines should scale up geometrically with repeat offenses.