Meta & Yandex Busted Secretly Spying on Your Web History?!

Meta and Yandex Under Scrutiny for De-Anonymizing Android Users’ Browsing Data

The digital privacy landscape is once again under intense scrutiny as researchers uncover a concerning practice employed by tech giants Meta and Russia-based Yandex. It appears that tracking code embedded within millions of websites by these companies has been exploiting legitimate Internet protocols to de-anonymize website visitors. This covert tracking allows them to convert temporary web identifiers into persistent mobile app user identities.

At the heart of the issue is the abuse of how Chrome and other browsers interact with native apps installed on Android devices. Google has confirmed it is actively investigating this breach, which raises serious questions about user privacy and data security.

The method employed, found within the widely used Meta Pixel and Yandex Metrica trackers, essentially circumvents the fundamental security and privacy mechanisms built into both the Android operating system and popular web browsers.

Let's break down why this is so concerning:

• Android Sandboxing Bypassed: Android utilizes sandboxing to isolate app processes, preventing them from interacting with the operating system or other installed apps. This abuse breaks that isolation.
• Browser Partitioning Defeated: Browsers implement state partitioning and storage partitioning, which store website cookies and data in separate containers for each domain. Meta and Yandex are finding ways around this, too.

Narseo Vallina-Rodriguez, one of the researchers who brought this to light, succinctly summarized the issue: “One of the fundamental security principles that exists in the web, as well as the mobile system, is called sandboxing...What this attack vector allows is to break the sandbox that exists between the mobile context and the web context."

How does this work?

• Yandex reportedly began implementing this technique in 2017.
• Meta followed suit starting in September of last year.
• The bypass allows them to pass cookies or other identifiers from browsers like Firefox and Chromium to native Android apps like Facebook, Instagram, and various Yandex apps.
• This links your browsing history to your account within these apps.

The implications are far-reaching. Imagine your every click, search, and online purchase being quietly tied to your social media profiles or other app accounts, creating a comprehensive and potentially exploitable profile of your online activity.

This discovery serves as a crucial reminder of the ongoing battle to protect user privacy in an increasingly data-driven world. The investigation by Google and any subsequent actions taken by regulatory bodies will be vital in ensuring that user data is handled responsibly and ethically. The onus is on these tech giants to prioritize user privacy and rebuild trust by rectifying these practices and preventing future breaches. This incident underlines the critical need for continuous vigilance and innovation in the realm of data security to safeguard individual privacy in the digital age.

Tags: Meta Pixel, Yandex Metrica, Data tracking, Privacy breach, Android security, Browser security, User identity, Web identifiers, Google investigation, Covert tracking

Source: https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/