Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Matth

I just came across that article. Is GrapheneOS blocking that or would we also be affected by that?

https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/

matchboxbananasynergy

See https://grapheneos.social/@GrapheneOS/114620254209885149

ethereal

matchboxbananasynergy Thanks for bringing some trustworthy info on this type of attacks. ;)

I've a little question though. The settings you mention only apply for WebRTC, don't they? On the Ars Technica article they also refer to a HTTP/HTTPS method used by Yandex. Would Vanadium also prevent attacks using that one?

GrapheneOS

ethereal Chromium shipped a fix for the Yandex issue and we can enable it via Vanadium Config today. We wanted to focus on the part which Chromium hasn't already fixed aside from not enabling the feature flag for 100% of users yet, which we can do now. Chromium 137 only recently came out.

naibed

https://news.ycombinator.com/item?id=44169314

One of the responses:

The takeaway is that for all intents and purposes, anything you did in a private session or secondary profile on an Android device with any Meta app installed, was fully connected to your identity in that app for an unknown amount of time. And even with the tracking code deactivated, cookies may still persist on those secondary profiles that still allow for linking future activity.

Is this correct/true for GrapeheneOS as well?

GrapheneOS

naibed See https://grapheneos.social/@GrapheneOS/114620254209885149 which was linked above. GrapheneOS has protected against this WebRTC privacy issue in Vanadium for years. The other issue abused by Yandex is being dealt with by Chromium upstream and we'll be enabling the protection early.

privacyisahumanright

GrapheneOS That's really great, GrapheneOS for the win!

Does anyone have a clue if Brave browser also does this?

ethereal

GrapheneOS Thanks for your prompt management of this issue.

Keep up the good work!

ignoramous

GrapheneOS GrapheneOS has protected against this WebRTC privacy issue in Vanadium for years

Curious: Would turning ON (on Android 11+) VPN Lockdown mode ("Block connections without VPN") prevent the technique used by Meta (which is prevented if Chrome couldn't bind to all interfaces)?

Does the loopback (127/8) traffic go through the TUN device when VPN is in Lockdown mode?

ryrona Web sites are not supposed to be able to communicate with installed apps on your device in any way at all.

This has never been true (see: deeplinks, as one example)?

ryrona

So, since the loopback interface is shared between all user profiles, I assume this vulnerable is also able to deanonymize you across user profiles. This means we now know of two real cases where the shared loopback interface have been exploited to deanonymize activity across user profiles, rendering the common use case of using separate user profiles for domain isolation useless.

Relevant ticket:
https://github.com/GrapheneOS/os-issue-tracker/issues/4772

GrapheneOS users have been deanonymized by this if either of the following two cases holds:

You have had the Yandex app installed in any user profile at all. In this case your web browsing activity in all user profiles have been tied to your Yandex identity, even if you used Vanadium as your web browser. Only activity from Tor Browser and few other browsers that blocks localhost connections by default will not have been tracked.
You have had the Facebook or Instagram apps installed in any user profile at all, and have had some non-privacy-focused web browser, such as Chrome, installed in any other user profile. In this case your web browsing activity in those non-privacy-focused web browsers will have been tied to your Facebook or Instagram account, even if the web browsing was in another user profile.

Of course, Meta apps installed in separate user profiles can also talk to each other over the loopback interface in just the same way, this time without being hindered by any hardening done in any web browser.

From https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/:

So far, Google has provided no indication that it plans to redesign the way Android handles local port access.

That is unfortunate, since this issue is likely best fixed in AOSP.

argante

ryrona There is a simple solution to all this. If I don't trust an application, I install it in a separate profile and don't allow applications installed there to work in the background. I limit the use of such applications (Google Camera). If someone cares about privacy, then you have to start by not installing applications such as Instagram. The final solution in GOS would be the ability to block localhost connections.

jackFang

ryrona I wrongly assumed that was the default already for loopback. I see network component as being the most critical since that's how data usually comes in and out.

ethereal

ryrona Thanks for your insightful comment!

I guess after this incident, Google will (at last) close this loopback hole, that makes IPC possible even between different user profiles.

This loopback hole is just the tip of the iceberg though. There are many other possible attacks that could de-anonymize a user. For example, let's say you have a main profile on your device, where you usually browse the web, and a secondary profile, where you've installed a problematic app on privacy (i.e., the Yandex or Meta apps aforementioned). If you don't use VPNs, the browser and the app will be sharing the IP address for their Internet connection. This IP could be used exclusively by you, so it would be trivial for an adversary to link your browsing activity with the account that you've set up on the app.

Panda-na

So Vanadium blocks JavaScript JIT by default, but does Vanadium block the JavaScript component of the Meta Pixel in any way? If so, Vanadium users would have been protected for a long time already.

https://localmess.github.io/

" These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets."

ryrona

Panda-na but does Vanadium block the JavaScript component of the Meta Pixel in any way? If so, Vanadium users would have been protected for a long time already.

Yes, Vanadium allegedly do not use local IP addresses for WebRTC, and in the case of Meta, they tried to do this tracking using WebRTC. However, Vanadium has supposedly been vulnerable to the tracking done by Yandex all this time. I guess most GrapheneOS users aren't using the Yandex app though.

ScarletKing07

Panda-na I think easylist which Vanadium uses for adblocking blocks known tracking pixels, don't know if this specific tracker is included in the list or for how long though.

ethereal

privacyisahumanright Brave is not affected by this attack, at least since 2022. That's what the researchers are reporting:
https://localmess.github.io/

jackFang

Glad to say all meta related stuff is blocked on my end but people I know are affected too. It's a shame I can't convince them to leave stuff like instagram/fb/whatsapp

natoal

ethereal

Is that an attack? That's basic tracking

ryrona

ethereal I guess after this incident, Google will (at last) close this loopback hole, that makes IPC possible even between different user profiles.

What we might hope for is that they make each app have their own loopback interface, or that they enforce similar barriers using firewall rules. Android already offers a mean for IPC communication, no one is supposed to use loopback for this.

But I got the feeling they were more favorable to the idea of just forcing Yandex and Meta to stop doing this in their apps, or be banned from Google Play. So we shouldn't hope too much.

ethereal If you don't use VPNs, the browser and the app will be sharing the IP address for their Internet connection. This IP could be used exclusively by you, so it would be trivial for an adversary to link your browsing activity with the account that you've set up on the app.

This is a well-known issue though, with a well-known solution, just use a separate VPN per user profile, that do not share exit IP address.

natoal Is that an attack? That's basic tracking

Web sites are not supposed to be able to communicate with installed apps on your device in any way at all. So it is a vulnerability, it is breaking the expected protections the web browser should offer.

ethereal

natoal For the simple case I put as an example, I guess maybe the more appropriate term could be effectively "tracking". If the method used by the adversary is more complex, then maybe we could refer to it as an "attack" (on privacy).

I just wanted to transmit the idea that although this Meta/Yandex now has been fixed by patching the browsers, one should remain vigilant.