1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
So main application for WebRTC is de-anonymisation of users (for example getting their local IP address). Why it is not hidden behind permission I don't understand.
The main application for WebRTC is peer to peer data transfer.
I think you can make the argument that it should be behind a permission prompt these days but it's difficult. What would the permission prompt actually say, in easy to understand layman's terms? "This web site would like to transfer data from your computer to another computer in a way that could potentially identify you"? How many users are going to be able to make an informed choice after reading that?
The existing killer app for WebRTC is video chat without installing an app, which is huge.
Other P2P uses are very cool and interesting as well - abusing it for fingerprinting is just that, abusing a user-positive feature and twisting it for identification, just like a million other browser features.
Because the decision makers don't care about privacy, they only want you to think that you have privacy, thus enabling even more spying.
One solution is to not use the apps and websites from companies that are known to abuse WebRTC or something else.
This is not unique to WebRTC. The same result could be achieved by sending a http request to localhost. The only difference in this case is that using WebRTC doesn't log a http request
Not totally following but it sounds like you are saying one of the things they have been doing involves abusing mandated GDPR cookie notices to secretly track people?
Yes? The cookie in question is First Party, which means you’ve consented to permitting only that party to track you using it, and not permitting its use for wider behavioral tracking across websites.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
IANAL, but it's not GDPR-conformant consent in any way. Consent needs to be informed, unambiguous, and freely given to be valid and should be easy to reject. The only way for this to be valid would be a consent form with something like:
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
A reminder that it's possible to use tools like XPL-EX to circumvent those attempts. Also ad blocking via adaway would do the trick here I assume, as it should block Meta Pixel tracking. Overall, awful approach.
I wish we could just ban advertising and tracking on the internet. I feel like so much crap these days has come out of it, all so that CEOs can afford an extra yacht
It's already enough to just have plain ads. Like we have them on the streets, at the bus station, newspapers, etc. No tracking needed at all, just give out the message. If you need to target people to it in the context of the place or content you are showing it with. But you don't need to know anything about the user seeing the ad. Targeting by user doesn't work anyway.
Depending on the data you collect, targeting by user - unfortunately - works. If the granularity is not one user, it will be a hundred. If not, a thousand, and so on. I've seen apps run ads targeting a total of 5 cohorts(together holding a hundred million users), and I've seen companies run ads targeting 100s of cohorts with the same number of users. They all work better than no targeting at all.
However what you're saying isn't completely wrong. I've also seen user targeting become a self-fulfilling prophecy. What happens is that it's championed by a high level executive as the panacea for improving revenue, implemented, and seen to not work. Now, as we all now, the C*O is Always Correct, so everything else around it is modified until the user-level targeting A/B test shows positive results. Usually this ends up in the product being tortured into an unusable mess.
I don't think it has to go that far. I think there's a middle ground here that people would accept: show us ads, but make it a one-way firehose, like TV and billboards. If you need to advertise to pay for the site, put up all the banners you want. But don't try to single me out for a specific one.
If it could pay for network TV there's no reason it can't pay for a website.
(You could still do audience-level tracking, e.g. "Facbebook and NCIS are both for old people, so advertise cruises and geriatric health services on those properties")
Reddit has fairly extensive device fingerprinting. And they are selling data for training AI models. It's only a matter of time before there is some premium phone app that monetizes data that otherwise isn't available/for sale.
The majority of internet users are either unwilling or unable to pay for content, and so far advertising has been the best business model to allow these users to access content without paying. Do you have a better suggestion?
They are able, because in the end advertising is also paid by customers. The complications are:
- Paying for services is very visible, whereas the payment for advertising is so indirect that you do not feel like you are paying for it.
- The payments for advertising are not uniformly distributed, people with more disposable income most likely pay more of overall advertising. But subscriptions cannot make distinctions between income.
- People with disposable income are typically the most willing to pay for services. However, they are also the most interesting to advertisers. For this reason, payment in place of ads is often not an option at all, because it is not attractive to websites/services.
I think banning advertising would be good. But I think a first step towards that would be completely banning tracking. That would make advertisements less effective (and consequently less valuable) and would pose services to look for other streams of income. Plus it would solve the privacy issue of advertising.
>The majority of internet users are either unwilling or unable to pay for content
Except for Spotify, News subscriptions, videogame subscriptions, video streaming services, duolingo, donations, gofundmes, piracy services!, clothing and food subscriptions! etc etc
People pay $10 for a new fortnite skin. You really pretending they won't pay for content?
People were willing to pay for stuff on the internet even when you could only do so by calling someone up and reading off your credit card number and just trusting a stranger.
Meanwhile, the norm until cable television for "free" things like news was that you either paid, or you went to the library to read it for free.
Sure, this entire business model has been cataclysmic for traditional media organizations and news outlets and peoples trust in institutions has plummeted in correlation, so, let’s just fucking scrap it and go back to payed media.
I think that might be a rhetorical device bequeathed to you by the social media companies.
People of course do pay for things all the time. It’s just the social media folks found a way to make a lot more money than people would otherwise pay, through advertising. And in this situation, through illegal advertising.
The best thing we can all do is refuse to work for Meta. If good engineers did that, there would be no Meta. Problem solved. But it seems many engineers prefer it this way.
This type of thing is pure greed, completely distinct from a highly aggressive pursuit of far more lucrative opportunities that average businessmen have been able to accomplish in the extreme interest of their shareholders.
Those true leaders are the traditional examples who have shown success over the centuries, without letting any greed whatsoever become a dominant force, recognizing and moving in the opposite direction from those driven by overblown self-interest, who naturally have little else to offer. It can be really disgraceful these days but people don't seem to care any more.
That's one thing that made them average businessmen though.
Now if you're below-average I understand, but most companies' shareholders would be better off with a non-greedy CEO, who outperforms by steering away from underhanded low-class behavior instead.
Now if greed is the only thing on the table, and somebody like a CEO or decision-making executive hammers away using his only little tool with admirable perseverance long enough, it does seem to have a likelihood of bringing in money that would not have otherwise come in.
This can be leveraged too, by sometimes even greedier forces.
All you can do is laugh, those shareholders might be satisfied, but just imagine what an average person could do with that kind of resources. It would put the greedy cretins to shame on their own terms.
And if you could find an honest above-average CEO, woo hoo !
By defining the $thing, banning the $thing per definition by law, and then tasking FBI-like organization enforce the law? It won't completely go away but it will subside, like how gambling on Internet is divided binary and confined into lootbox games without cashing features and straight up scam underground casinos.
Personally I think we should start from separating good old ads(that existed before I was 15) and Internet "ads". The old ads were still somewhat heavily targeted, but less than it is now. There probably would be an agreeable line up to which level advertisement efforts can be perverted.
I think the main problem is lots of money are made from it, and money influences politics hugely. The technical difficulties are low on the list of reasons this is not happening.
A lot of things I would have previously said were impossible have happened in the last half year. If only a few of those things were of the impossibly good type.
...and so consumers can use services/products without having to fork over money.
People love the ad-model. Given the option to pay or use the "ad-supported" option, the ad-supported one wins 10 to 1. This means in many cases it doesn't even make sense to have a paid option, because the ad option is just so much more popular.
As bad as crypto is, with all the negative things attached to it, BAT was probably one of the smartest things to be invented. A browser token that automatically dispenses micropayments to websites you visit. Forget all the details to get snagged on, the basic premise is solid: Pay for what you use. You become the customer, not the advertisers.
Also a note about ad-blocking - it only makes the problem worse. It is not a "stick it to the man" protest. You protest things by boycotting them, or paying their competitors, not by using them without compensating them.
There is no such thing as a free lunch. Consumers on average are forking over the money. Otherwise no one would pay for advertising. And they are paying more than they would have otherwise since this dystopian tracking apparatus isn't free either.
Yes, we need ads for a free internet, today. And, as a result, we also have our privacy eroded - eroded in ways we may not care about today, but will probably regret tomorrow.
If we must pay for the internet, give me an option to pay to use it where I see no ads and my privacy is preserved. Let me know what that cost is and I'll decide what I want to do.
Right now, the actual pricing is obscured so we just "accept" that the internet in its current form is how it needs to be.
I really liked the concept of BAT but the reality left me wanting.
Things like "we'll hang on to the tokens of sites that don't use BAT yet for them until they join" gave negative vibes.
It all felt a little underbaked. I swing back to Brave once in a blue moon and then remember I've got at least $20's worth of BAT lost forever somewhere.
The deprecation of third-party cookies, that all browsers were at one point on track to implement, was pretty much the most realistic first step to that. Which is why Google killed it last year by leveraging their control over Chrome.
While not technically a crime, it was a disgusting, unethical market manipulation move that never really got the public outrage it deserved.
Google execs’ initial support for it was also telling: leadership at Google must literally thought they would find another way to stay as profitable as they are without third-party cookies. Put another way: Google leadership didn’t understand cookies as well as someone who’s taken a single undergrad web dev class. (Or they were lying all along, and always planned to “renege” on third-party cookie deprecation.)
I don't think that's quite what happened. Google got in anti-trust trouble because they have an unfair advantage in user-tracking, given logged in Chrome accounts. Removing third-party cookies hurts other privacy-invading companies without substantially affecting Google. It was still somewhat on track to be removed from Chrome until they lost their antitrust battle, and Chrome was required to be spun off. With Chrome's new future, and Google's new legal constraints, there's less incentive to try and make Privacy Sandbox work. At least, that was my understanding; I didn't follow it all that closely.
This is very misleading. Google was prevented from disabling third-party cookies due to intervention by the CMA, who felt it would provide an unfair advantage over other advertisers. Google argued their case for years, proposed competing standards to act as a replacement (see Topics API), and eventually gave up on the endeavour altogether and simply made it a user toggle.
The problem is their greed is unlimited and their power/influence and purchasing power is relative to all of the other billionaires corrupting government and making every little facet of life of ordinary people more expensive, miserable, transactional, and punitive.
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
The EU should set some record breaking fines for this.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
I agree they should. But I don't think the EU has any real ability to send American tech execs to jail. At most they can stop them doing business in the EU.
I am not sure which Meta apps open ports, but e.g. Samsung phones come with a bunch of Meta apps pre-shipped. IIRC just removing the Facebook app is is not enough, there is another service installed that is not visible as an app (com.facebook.services etc.), which you can only uninstall from the data partition with something like ADB/UAD.
I remember a few years ago analyzing a modern Samsung phone's web traffic. It had by far the most ad-related and monetizing connections out of any other phone I've ever seen. And they were part of "necessary" functions, so you couldn't just block that traffic.
Samsung has great tech, but I avoid because it's so bloated and abusive.
I tend to buy stock Android, e.g. Motorola moto g30, etc. It still has lots of Google stuff, but you can get rid of them, and I have a work profile specifically designed for Google-related stuff, and my personal profile is de-Googled as much as possible.
Samsung devices are loaded with malware and AI slop in general. I'd avoid them if you at all care about privacy. Since Google is still missing end to end encryption for cloud data, iOS seems like the only good choice currently.
> Not only our their websites painful which discourages use, websites are more sandboxed.
This isn't remotely true. It is pretty trivial for a well-resourced engineering organization to generate unique fingerprints of users with common browser features.
*: Meta Pixel script was last seen sending via HTTP in Oct 2024, but Facebook and Instagram apps still listen on this port today. They also listen on port 12388 for HTTP, but we have not found any script sending to 12388.
**: Meta Pixel script sends to these ports, but Meta apps do not listen on them (yet?). We speculate that this behavior could be due to slow/gradual app rollout.
So, could some other app send data to these ports with a fake message? I'm asking for a friend that likes to do things for science.
Would an individual using this technique to collect information from someone else's computer possibly face prosecution under the Computer Fraud and Abuse act?
People have been prosecuted under that act for clicking "view source" on their web browser. The crime itself is irrelevant. It's more about who you are/what connections you have/who you piss off.
This only works if you control the code on both sides (ie. on the website being visited and an app running on the phone). It's not some sort of magic hack that allows you to exfiltrate arbitrary browser history. Therefore it's unclear how it can be construed as "hacking" in any meaningful way. As bad non-consensual tracking done by google/meta/whatever are, it's not covered under CFAA.
I agree it's not hacking, but the Computer Fraud and Abuse act seems to have a pretty broad definition of computer fraud and abuse. In particular, the technique seems like it might (emphasis mine) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …". Would the other person have a reasonable belief that they didn't authorize access to information which their OS attempts to prevent access to?
The yandex one uses client/browser-side code to exfiltrate; it’s within the realm of possibility to abuse this, given a user visits a site under your control.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.
I don't know, you're purposefully abusing oversights to completely bypass the sandbox. It's an exploit for sure in my mind, and it seems very intentionally done. Like, it was done this way specifically because it allows them to circumvent other protections they know existed.
Readit News
1. User logged into FB or IG app. The app runs in background, and listens for incoming traffic on specific ports.
2. User visits website on the phone's browser, say something-embarassing.com, which happens to have a Meta Pixel embedded. From the article, Meta Pixel is embedded on over 5.8 million websites. Even in In-Cognito mode, they will still get tracked.
3. Website might ask for user's consent depending on location. The article doesn't elaborate, presumably this is the cookie banner that many people automatically accept to get on with their browsing?
4. > The Meta Pixel script sends the _fbp cookie (containing browsing info) to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
You won't see this in your browser's dev tools.
5. Through the logged-in app, Meta can now associate the "anonymous" browser activity with the logged-in user. The app relays _fbp info and user id info to Meta's servers.
Also noteworthy:
> This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity.
> On or around May 17th, Meta Pixel added a new method to their script that sends the _fbp cookie using WebRTC TURN instead of STUN. The new TURN method avoids SDP Munging, which Chrome developers publicly announced to disable following our disclosure. As of June 2, 2025, we have not observed the Facebook or Instagram applications actively listening on these new ports.
Depending on the country that you or your family lives in, this could be far worse than embarrassment.
Dead Comment
I think you can make the argument that it should be behind a permission prompt these days but it's difficult. What would the permission prompt actually say, in easy to understand layman's terms? "This web site would like to transfer data from your computer to another computer in a way that could potentially identify you"? How many users are going to be able to make an informed choice after reading that?
Other P2P uses are very cool and interesting as well - abusing it for fingerprinting is just that, abusing a user-positive feature and twisting it for identification, just like a million other browser features.
I happened to be immune, I disabled Background App Refresh in iOS settings. All app notifications still work, except WhatsApp :(
https://forums.macrumors.com/threads/any-reason-to-use-backg...
> company checks out
So a takeaway is to avoid having Facebook or Instagram apps on your phone. I'm happy to continue to not have them.
Any others? e.g. WhatsApp. Sadly, I find this one a necessary communication tool for family and business in certain countries.
However, the locally hosted FB/Yandex listener receives all of these first party cookies, from all parties, and the OPs implication is (I think) that now these non-correlateable-by-consent first party cookies can be or are being used to track you across all sites that use them.
Allow Meta tracking to connect the Facebook or Instagram app on your device to associate visits to this website with your Meta account. Yes/No (With No selected as a default.)
I am pretty sure that this is a grave violation of the GDPR.
How does that even work? What can GDPR cookie notices can do that the typical tracker can't do?
How did you reach this conclusion? The main problem is that it works way better than traditional marketing medium.
It's the reason Google and Facebook are so massive, why would publishers choose to pay them if it doesn't work?
However what you're saying isn't completely wrong. I've also seen user targeting become a self-fulfilling prophecy. What happens is that it's championed by a high level executive as the panacea for improving revenue, implemented, and seen to not work. Now, as we all now, the C*O is Always Correct, so everything else around it is modified until the user-level targeting A/B test shows positive results. Usually this ends up in the product being tortured into an unusable mess.
If it could pay for network TV there's no reason it can't pay for a website.
(You could still do audience-level tracking, e.g. "Facbebook and NCIS are both for old people, so advertise cruises and geriatric health services on those properties")
- Paying for services is very visible, whereas the payment for advertising is so indirect that you do not feel like you are paying for it.
- The payments for advertising are not uniformly distributed, people with more disposable income most likely pay more of overall advertising. But subscriptions cannot make distinctions between income.
- People with disposable income are typically the most willing to pay for services. However, they are also the most interesting to advertisers. For this reason, payment in place of ads is often not an option at all, because it is not attractive to websites/services.
I think banning advertising would be good. But I think a first step towards that would be completely banning tracking. That would make advertisements less effective (and consequently less valuable) and would pose services to look for other streams of income. Plus it would solve the privacy issue of advertising.
Except for Spotify, News subscriptions, videogame subscriptions, video streaming services, duolingo, donations, gofundmes, piracy services!, clothing and food subscriptions! etc etc
People pay $10 for a new fortnite skin. You really pretending they won't pay for content?
People were willing to pay for stuff on the internet even when you could only do so by calling someone up and reading off your credit card number and just trusting a stranger.
Meanwhile, the norm until cable television for "free" things like news was that you either paid, or you went to the library to read it for free.
Maybe people could visit libraries more again.
People of course do pay for things all the time. It’s just the social media folks found a way to make a lot more money than people would otherwise pay, through advertising. And in this situation, through illegal advertising.
The best thing we can all do is refuse to work for Meta. If good engineers did that, there would be no Meta. Problem solved. But it seems many engineers prefer it this way.
Those true leaders are the traditional examples who have shown success over the centuries, without letting any greed whatsoever become a dominant force, recognizing and moving in the opposite direction from those driven by overblown self-interest, who naturally have little else to offer. It can be really disgraceful these days but people don't seem to care any more.
That's one thing that made them average businessmen though.
Now if you're below-average I understand, but most companies' shareholders would be better off with a non-greedy CEO, who outperforms by steering away from underhanded low-class behavior instead.
Now if greed is the only thing on the table, and somebody like a CEO or decision-making executive hammers away using his only little tool with admirable perseverance long enough, it does seem to have a likelihood of bringing in money that would not have otherwise come in.
This can be leveraged too, by sometimes even greedier forces.
All you can do is laugh, those shareholders might be satisfied, but just imagine what an average person could do with that kind of resources. It would put the greedy cretins to shame on their own terms.
And if you could find an honest above-average CEO, woo hoo !
Personally I think we should start from separating good old ads(that existed before I was 15) and Internet "ads". The old ads were still somewhat heavily targeted, but less than it is now. There probably would be an agreeable line up to which level advertisement efforts can be perverted.
...and so consumers can use services/products without having to fork over money.
People love the ad-model. Given the option to pay or use the "ad-supported" option, the ad-supported one wins 10 to 1. This means in many cases it doesn't even make sense to have a paid option, because the ad option is just so much more popular.
As bad as crypto is, with all the negative things attached to it, BAT was probably one of the smartest things to be invented. A browser token that automatically dispenses micropayments to websites you visit. Forget all the details to get snagged on, the basic premise is solid: Pay for what you use. You become the customer, not the advertisers.
Also a note about ad-blocking - it only makes the problem worse. It is not a "stick it to the man" protest. You protest things by boycotting them, or paying their competitors, not by using them without compensating them.
If we must pay for the internet, give me an option to pay to use it where I see no ads and my privacy is preserved. Let me know what that cost is and I'll decide what I want to do.
Right now, the actual pricing is obscured so we just "accept" that the internet in its current form is how it needs to be.
Things like "we'll hang on to the tokens of sites that don't use BAT yet for them until they join" gave negative vibes.
It all felt a little underbaked. I swing back to Brave once in a blue moon and then remember I've got at least $20's worth of BAT lost forever somewhere.
While not technically a crime, it was a disgusting, unethical market manipulation move that never really got the public outrage it deserved.
Google execs’ initial support for it was also telling: leadership at Google must literally thought they would find another way to stay as profitable as they are without third-party cookies. Put another way: Google leadership didn’t understand cookies as well as someone who’s taken a single undergrad web dev class. (Or they were lying all along, and always planned to “renege” on third-party cookie deprecation.)
It seems like damned-if-you-do, damned-if-you-don’t.
>Google says it's investigating the abuse
That's a bit ironic, considering how they're using any side channel they could lay their hands on (e.g. Wi-Fi AP names) to track everyone. Basically every large app vendor with multiple apps does something similar to circumvent OS restrictions as well.
Maybe it's time to invent a tax that starts at 0% and goes up 1-X% every time your hand is cought in the cookie jar. And add a corresponding website where you can clearly see all violations by company.
Not only our their websites painful which discourages use, websites are more sandboxed.
Or buy an iPhone or a Pixel.
Samsung has great tech, but I avoid because it's so bloated and abusive.
This isn't remotely true. It is pretty trivial for a well-resourced engineering organization to generate unique fingerprints of users with common browser features.
Somebody also needs to come up with a way to peer to peer share advertiser tracking cookies.
I'm not a lawyer, so my question is genuine.
On the FB side, I can see a malicious user potentially poisoning a target site visitors’s ad profile or even social media algorithm with crafted cookies. Fill their feed with diaper ads or something.