Meta Quietly Listened to Your Browser — Even in Incognito Mode
While you were scrolling your feed, your phone became part of an invisible surveillance network tracking millions.
A group of researchers has uncovered an unusual tracking scheme that allowed anonymous web activity to be linked to specific users of mobile apps. The study revealed that Meta used its Android applications to collect data on user actions in web browsers — bypassing typical privacy safeguards.
The technique relied on using the device's internal network interface — known as localhost or loopback address, which allows a device to send network requests to itself. Normally used for local server testing, in this case, it was repurposed as a surveillance tool.
The Facebook and Instagram* mobile apps opened specific TCP and UDP ports on the device — namely TCP ports 12387 or 12388, and one of the free ports in the UDP range 12580–12585. Even when the app was running in the background, it continued listening for traffic, waiting for a browser connection. When the user visited a website containing the Meta Pixel — a script used for analytics and tracking — it would execute in the browser and establish a connection to the app via WebRTC, using a modified SDP (Session Description Protocol).
Through this connection, the script transmitted the _fbp cookie to the app, along with additional data such as the page URL, browser metadata, and the type of event (e.g., page view, purchase click, or donation). Simultaneously, the script sent the same data to https://www.facebook.com/tr. Upon receiving the _fbp identifier, the mobile app forwarded it to the GraphQL server at https://graph.facebook.com/graphql, adding other persistent user identifiers stored within the app. This created a direct link between web activity and the user’s Facebook or Instagram account.
This mechanism bypassed standard privacy measures such as cookie clearing, incognito mode, and Android's permission system. All of it happened without user knowledge or additional consent, despite the presence of formal consent banners on websites. More critically, it undermined the fundamental assumption of cookie sandboxing — the idea that third-party scripts can’t track the same user across multiple websites if cookies are cleared. Here, the tracking link became possible regardless.
According to the researchers, data transmission via HTTP began in September 2024, sparking discussions among third-party developers using Meta’s APIs. By October, HTTP was replaced with more advanced protocols like WebSocket, WebRTC STUN with custom SDP, and WebRTC TURN. However, careful observation of the scripts allowed researchers to confirm that on June 3, 2025, at 7:45 AM CET, Meta Pixel completely stopped sending data to localhost. The code responsible for _fbp transmission was effectively removed.
Meta stated that the feature was temporarily disabled after receiving reports of a potential violation of Google Play policies, which prohibit covert data collection. Company representatives confirmed that they are in talks with Google over a “misunderstanding” of policy application but declined to provide specifics.
The researchers also proposed several technical countermeasures to prevent similar attacks in the future. For example, Google is considering a dedicated permission for local network access, which would block attempts to listen to localhost traffic that bypass Android’s existing permission system. Previous efforts to implement such policies faced technical challenges.
Some browsers have already taken action. Chrome 137, released on May 26, 2025, includes experimental protection against SDP modification, although it's currently only available to a limited group of test users. Firefox is working on a similar feature. The Brave browser is immune to this type of attack by default, as it requires explicit consent for localhost use. DuckDuckGo has blacklisted the offending scripts.
The research team emphasized that the discovered technique opens up new pathways for violating user privacy by circumventing traditional safeguards, and called for stricter controls at both the OS and browser levels.
