Researchers have discovered that Meta and Yandex trackers are abusing legitimate internet protocols to deanonymize millions of Android users. They claim that these trackers bypass browser sandboxing, potentially violating Android’s security model and in turn Google’s terms and conditions.
Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.
The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site
The trackers in question are Meta Pixel and Yandex Metrica. Metrica has started bypassing browser sandboxing since 2017, while Pixel has started this activity since last September.
Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.
Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.
While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.
Google has came out to denounce this behavior, claiming that such bypass violates the Play Store’s terms and conditions. Besides upstreaming fixes to Chrome, it is unclear what future actions will the company take in response to Meta and Yandex’s alleged abuses.
A representative for Google said the behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users.
“The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate. our security and privacy principles,” the representative said, referring to the people who write the Meta Pixel and Yandex Metrica JavaScript. “We’ve already implemented changes to mitigate these invasive techniques and have opened our own investigation and are directly in touch with the parties.”
I haven’t discussed the full technical write-up in this post. If you’re interested, I highly recommend giving it a read here. The research team has done an excellent job documenting this issue.
