A sophisticated monitoring method used by Meta (Facebook) and Yandex which has potentially affected billions of Android users via web communications to application via local sockets.
The technique has enabled Android native applications, including Facebook and Instagram, to silently receive browser metadata, cookies and Meta Pixel script controls integrated on thousands of websites, effectively linking mobile navigation sessions to user identities and bypassing standard confidentiality protections.
Implementation via manipulation of webrtc and port
Github reports that the follow -up mechanism has exploited the accessless access of Android to local sockets, Meta’s approach evolving through several technical iterations.
Initially, using HTTP requests in September 2024, the META system increased to Websocket Communications before settling on webrtc Stun with SDP Munging by November 2024.
The Meta Pixel JavaScript transmitted the _FBP Première cookie using webbrtc to the UDP 12580–12585 ports, where Facebook and Instagram applications have maintained persistent listeners.
The technical implementation involved SDP Munging, where Meta inserted the contents of _FBP cookies in the “Ice-Abrag” field, generating messages of liaison request sent to the closure address 127.0.1.
This data flow has remained invisible to standard browser debugging tools such as Chrome Devtools, making it difficult detection for safety and safety researchers.
In May 2025, Meta introduced Turnte Webrtc communications to ports 12586-12591, avoiding SDP Munging after Chrome developers announced its intention to deactivate the technique.
The follow -up method has demonstrated an unprecedented scope, with Meta Pixel integrated on more than 5.8 million websites according to Builtwith, making cookie _FBP the third most common first party cookie on the web.
Research crawl The 100,000 best websites have revealed that Meta Pixel was trying localhost communications on 17,223 sites in the United States and 15,677 EU sites, with around 75 to 78% of these sites triggering without explicit consent of users.
The system has effectively bypassed established confidentiality protections, including cookies compensation, incognito mode and Android authorization checks.
Even users not connected to Facebook or Instagram on their mobile browsers have remained vulnerable to tracking via the Android advertising ID (AAID) bridging mechanism.
The method worked by connecting ephemeral web identifiers to persistent mobile application IDs, allowing META to associate different _FBP cookies on websites with the same user account.
Mitigation
Following responsible disclosure to the main providers of browser, several countermeasures have entered development and deployment.
Chrome version 137, published on May 26, 2025, implemented protections blocking abused ports and deactivating specific munify SDP techniques used by Meta Pixel.
Firefox version 139 has incorporated similar port blockages, while DuckDuckGo and Brave Browsers have already maintained protections based on block lists against local communications.
Significantly, Meta interrupted the practice around June 3, 2025, the Facebook Pixel script no longer sends localhost packages and the responsible code being almost completely deleted. Yandex has also ceased its follow -up operations based on local hosts after disclosure.
The revelation has caused broader discussions on the limitations of platform sand bins and the need for improved Android communication security, in particular with regard to local connections which allow the sharing of cross-data data without awareness or consent.
Are you looking for protection against Nex-Gen malware powered by AI? – Download more free malware protection for free
