this post was submitted on 03 Jun 2025
16 points (100.0% liked)

Technology

4402 readers
216 users here now

Which posts fit here?

Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.

Post guidelines

[Opinion] prefixOpinion (op-ed) articles must use [Opinion] prefix before the title.

Rules

1. English onlyTitle and associated content has to be in English.
2. Use original linkPost URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communicationAll communication has to be respectful of differing opinions, viewpoints, and experiences.
4. InclusivityEveryone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacksAny kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangentsStay on topic. Keep it relevant.
7. Instance rules may applyIf something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.

Companion communities

!globalnews@lemmy.zip
!interestingshare@lemmy.zip

Icon attribution | Banner attribution

If someone is interested in moderating this community, message @brikox@lemmy.zip.

founded 2 years ago
MODERATORS
BrikoX@lemmy.zip
16
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers (arstechnica.com)
submitted 4 months ago by BrikoX@lemmy.zip to c/technology@lemmy.zip
3 comments fedilink hide all child comments
 

Abuse allows Meta and Yandex to attach persistent identifiers to detailed browsing histories.

top 3 comments
sorted by: hot top controversial new old
[–] cmnybo@discuss.tchncs.de 5 points 4 months ago (1 children)

It looks like Meta or Yandex apps must be installed for the exploit to work. Luckily I don't have any of those installed on my Android devices.

[–] jet@hackertalks.com 3 points 4 months ago

The point is any app could do this.

[–] jet@hackertalks.com 4 points 4 months ago* (last edited 4 months ago)

I'm glad this is being reported. If the phone has a tattle tale it will be abused

The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.

Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.

This is exactly what discord does. If you ever wondered how the f*** a discord link pops open discord without you giving permission, it's this.

The solution is to not allow localhost connections from the web browser, or use a socksv5 proxy