Meta and Yandex abuse protocol functionality to secretly track users — even in private browsing mode
Over the past several years, we’ve heard a lot about sandboxing and tracking protections that major browsers like Chrome have implemented. The promise was simple: once these protections are in place, users wouldn’t need to worry about being spied on by Big Tech, or having their web history tied directly to their identity. Instead, targeted advertising would be powered by anonymized data, which would still be effective enough for advertisers’ needs — at least in theory.
That idea always sounded far-fetched to us. We’ve long argued that de-anonymization of this supposedly “anonymous” data was still very much possible. But what if you didn’t even need to go to such lengths? What if, despite all the in-built protections, platforms could still access unique user identifiers and reliably tie them to the user browsing history?
That’s exactly what Meta and Yandex discovered they could do.
According to new research, Meta (via Meta Pixel) and Yandex (via Yandex Metrica) have been exploiting a loophole in the Android OS and mobile browser behavior to de-anonymize users by linking their web browsing data to their real identities within native apps, such as Facebook and Instagram.
How do they bypass tracking protections
If you want a comprehensive technical breakdown of how exactly this tracking works, we recommend checking the original research. But in short, Meta and Yandex have found an unorthodox way to pass tracking data from your mobile browser directly into their native apps. The bypass, used by Yandex since 2017 and adopted by Meta in a slightly different form in late 2024, takes advantage of how Android allows apps to open communication channels with themselves.
Here’s how it works: when a user installs and runs one of these apps, even in the background, the app opens a private communication channel on the device, known as a localhost or loopback port. When used according to its intended purpose, this port allows developers to preview and test their applications locally before deploying it to a live server.
However, Meta and Yandex abused this functionality to pass tracking data, like web cookies or other unique identifiers, from mobile web browsers (such as Firefox and Chromium-based ones) to their Android apps like Facebook, Instagram, and various Yandex services.
When a user visits a website that has embedded Meta Pixel or Yandex Metrica scripts (trackers that could be found on millions of websites) those scripts use standard browser features like HTTP requests, WebSockets, or WebRTC to send data, including tracking cookies, directly to those open local ports. The installed app on the device then receives this information and can link it to the logged-in user account within the app. Once that connection is made, the apps send this combined data (browser behavior + user identity) back to Meta or Yandex servers.
As a result, Meta and Yandex manage to bypass browser sandboxing, Incognito mode, and Android’s permission controls. This gives them a sneaky way to de-anonymize users and monitor what you’re doing online, even when you believe you’re protected by ‘Incognito mode.’
Are they still doing it?
According to the researchers, Meta has stopped the practice. As of June 3, 2025, its Meta Pixel (formerly Facebook Pixel) tracking script was no longer sending any packets or requests to localhost. In a statement to Ars Technica, Meta said, “Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue.”
Yandex, for its part, also said it was discontinuing the practice, while adding that the feature in question wasn’t intended to collect any sensitive information and was “solely intended to improve personalization within our apps.”
Google responded by saying the practices “blatantly” violated its security and privacy principles, and were not in line with its terms of service. The company also said it was launching an investigation into the reported misuse of browser capabilities.
How to protect yourself from this?
It’s clear that in-built Android protections and those baked into major browsers like Chrome and Firefox have failed their users this time. However, the users of less popular and more security and privacy-oriented niche browsers such as DuckDuckGo and Brave had much better luck. This is because their browsers come with in-built tracking protections that block tracking requests from the get-go or prevent sharing of identifiers.
AdGuard works according to the same principle: if you have Tracking Protection filter enabled, we block Meta Pixel, Yandex Metrica, and other tracking scripts right at the source — including the ones trying to exploit this localhost trick. So in this particular case, if you have this filter enabled, you have nothing to worry about.
That said, this method shows just how far companies are willing to go to bypass browser and OS-level protections — and that’s the real problem. If this kind of technique becomes more widespread, it could turn into a serious threat to user privacy across the board. So while you’re safe for now, we’re already thinking about a more general, long-term solution to shut this class of abuse down entirely.
