Meta and Russian tech giant Yandex have been caught using a covert method to track the web browsing of Android users, linking their activity directly to their personal app identities without consent. The technique, uncovered by an international research collaboration, successfully bypassed privacy measures like incognito mode and VPNs. Following inquiries from media outlets, both companies have reportedly ceased the practice.
The revelation drew a sharp rebuke from Google. A spokesperson stated the method allowed developers to use browser functions that “blatantly violate our security and privacy principles,” and confirmed the company was already implementing changes to mitigate the techniques. For users, the finding means that even their most private web browsing on sites featuring the trackers—including sensitive destinations like adult content websites—could have been de-anonymized and connected to their real-world Facebook or Instagram profiles for the purpose of targeted advertising.
The researchers published their findings on a dedicated website before formal peer review, a decision they said was made to ensure timely public disclosure due to the severity of the active abuse. One of the lead researchers, Dr. Gunes Acar, told Sky News it was “very shocking” because the companies are “bridging these two worlds that we think are separate; web browsing and mobile app activities.”
A Covert Bridge Between Web and App
The tracking system exploited a loophole in Android’s security model, allowing scripts on websites to communicate with native apps on the same device through an internal “localhost” connection. This created a bridge linking temporary web cookies to a user’s permanent app identity. According to researcher Narseo Vallina-Rodriguez, the technique is so effective that it “negates every privacy control that you have” in modern browsers and on the Android platform itself.
While Meta began using this technique in September 2024, researchers found Yandex had been employing a similar system since 2017. The Yandex method posed an even greater security risk by potentially exposing a user’s browsing history to other malicious apps. In a statement, Yandex claimed the feature did not collect sensitive information and was solely intended to improve personalization within its own apps.
An Industry Scrambles to Respond
The disclosure prompted a swift response from browser vendors. In addition to Google patching Chrome, Mozilla confirmed it was developing a fix for Firefox, calling the practice a severe violation of its anti-tracking policies. Other browser makers, including Vivaldi, are also reportedly working on mitigations.
The tracking had not gone entirely unnoticed. Web developers had been complaining in Facebook developer forums about the mysterious connections for months, with one developer writing that their support request “got a generic response and then ignored thereafter.” In a statement, Meta framed the issue as a potential misunderstanding of Google’s policies that it was working to resolve.
Part of a Broader Pattern
This incident is the latest in a series of privacy-related controversies for Meta. The company’s aggressive data collection strategies are central to its ongoing legal battles with European regulators over its “pay or consent” model, which has already drawn the threat of a massive fine. The European Commission has argued that forcing users to either pay a fee or agree to tracking does not constitute freely given consent.
This philosophy of expansive data gathering is also evident in the company’s newer products. Meta’s standalone AI assistant ignited immediate privacy concerns upon its launch for remembering user conversations by default to train its models. These events paint a picture of a company consistently at odds with regulators and privacy advocates, having previously faced formal accusations of illegal tracking in the EU.
