Overview

• Meta and Yandex had exploited fixed localhost ports in Android apps to link mobile web browsing data with user identities without consent.
• An international team from IMDEA Networks, Radboud University and KU Leuven publicly exposed the practice on June 3, 2025.
• Meta Pixel and Yandex Metrica were embedded on an estimated 5.8 million and 3 million sites respectively, bypassing Incognito Mode and VPN protections.
• Meta paused its Android localhost bridging system after media scrutiny, while Chrome 137 shipped countermeasures on May 26 and Firefox is preparing its own patch.
• The technique sidestepped cookie clearing and Android permission controls, prompting calls for stricter platform restrictions on local port access.