Security researchers have uncovered a method used by Meta (Facebook, Instagram) and Yandex to secretly track Android users’ browsing activity, even when using Incognito mode or VPNs 🤣
By exploiting a loophole in Android’s localhost communication system, both companies could link browsing behavior to user identities, bypassing cookies, permissions, and even private browsing protections.
This affected all major Android browsers like Chrome, Firefox, and Edge, except for privacy-first browsers like Brave.
How it worked:
– Meta used WebRTC to transmit identity-linked data via open local ports.
– Yandex apps have been using similar methods since 2017.
Meta stopped this practice on June 3, 2025, following the public disclosure.
