1. Forum
  2. tqwNet
  3. TQW LINUX

  • Covert web-to-app tracking via localhost on Android

    From LWN.net@1337:1/100 to All on Wednesday, June 11, 2025 14:30:08
    Covert web-to-app tracking via localhost on Android

    Date:
    Wed, 11 Jun 2025 13:16:43 +0000

    Description:
    The "Local Mess" GitHub
    repository is dedicated to the disclosure of an Android tracking
    exploit used by (at least) Meta and Yandex. While there are subtle
    differences in the way Meta and Yandex
    bridge web and mobile contexts and identifiers, both of them
    essentially misuse the unvetted access to localhost sockets. The
    Android OS allows any installed app with the INTERNET permission to
    open a listening socket on the loopback interface
    (127.0.0.1). Browsers running on the same device also access this
    interface without user consent or platform mediation. This allows
    JavaScript embedded on web pages to communicate with native Android
    apps and share identifiers and browsing habits, bridging ephemeral
    web identifiers to long-lived mobile app IDs using standard Web
    APIs. This backdoor, the use of which has evidently stopped since its disclosure,
    allow tracking of users across sites regardless of cookie policies or use of incognito browser modes.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1024844/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)