Meta and Yandex quietly fused Android users’ “anonymous” web histories with their logged-in app identities, researchers say—shredding the sandbox walls that are meant to keep mobile apps and browsers in separate lanes.
A joint team from Radboud University, IMDEA Networks, and KU Leuven discovered that the Meta Pixel and Yandex Metrica analytics scripts—embedded in about 5.8 million and 3 million sites, respectively—silently pass cookies from Chrome, Firefox and other Android browsers to Facebook, Instagram and Yandex apps that are listening on hard-coded localhost ports.
Since September 2024 for Meta and as far back as 2017 for Yandex, the trackers have used a rotating toolkit—HTTP requests, WebSockets and a WebRTC trick called SDP munging—to smuggle the cookies to ports on the same device. The native apps immediately pair those web IDs with the user’s persistent account token and relay the match to backend servers, even in Incognito mode or behind a VPN.
With Meta Pixel sitting on roughly one-fifth of the web’s top sites and Android commanding 70% of global handset share, the pool of exposed users runs into the billions. Researchers found the Pixel active on 16,000 EU-based sites alone; Yandex performed similar linking on at least 1,300 properties.
Google called the scheme “a blatant violation of our security and privacy principles” and says Chrome 137 now blocks the specific WebRTC abuse, with broader Android fixes under review.
Meta said it has “paused the feature” pending talks with Google about a “miscommunication” over Play Store policies, while Yandex asserted the data “does not collect any sensitive information” and that it is discontinuing the practice.
This report is wild: Meta and Russian tech co. Yandex have been using the Pixel to associate Android users' web browsing activity with their real identities, even if they use VPNs or private browsing modes.
— Rob Freund (@RobertFreundLaw) June 4, 2025
Meta's response: "A miscommunication regarding [Google's] policies." https://t.co/2dQBtPqvz6
Brave and DuckDuckGo already blacklist the relevant localhost calls; Chrome’s patch blocks the current SDP variant; Firefox is still “actively investigating.”
Information for this briefing was found via Ars Technica and the sources mentioned. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.