pull down to refresh

Yesterday I shared a report about Meta and Yandex tracking Android users through localhost. And today, boom — news dropped that Meta stopped doing it. Glad there are folks out there who spend their time digging into this stuff.
[...]
Presently, however, Meta's use of these techniques appears to have halted. According to the researchers, "As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
28 sats \ 1 reply \ @ek 4 Jun
The researchers describe Meta's approach thus:
  1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.
  2. The user opens their browser and visits a website integrating the Meta Pixel. At this stage, websites may ask for consent depending on the website's and visitor's locations.
  3. The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
  4. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
  5. The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph.facebook.com/graphql) along with other persistent user identifiers, linking users' fbp ID (web visit) with their Facebook or Instagram account.
Oof, but interesting
reply
Yeah, good thing I'm free from that crap... not that it stops them from tracking me online some other way! These guys wanna know everything... fuckers!
reply