pull down to refresh

“Localhost tracking” explained. It could cost Meta 32 billion.www.zeropartydata.es/p/localhost-tracking-explained-it-could
1074 sats \ 19 comments \ @k00b 16 Jun security
write
preview
related posts
33 sats \ 1 reply \ @rblb 12h
that's spyware... i am a bit surprised android doesn't freeze sockets of background apps.
Actually, doesn’t it? Wasn’t the whole notification trick to keep the app alive necessary to prevent Android from killing sockets?
reply
0 sats \ 0 replies \ @k00b OP 4h
Android is pretty liberal with backgrounding relative to iOS. It's iOS that needs notifications to do anything meaningful in the background.
I suspect Android lets these sockets stay open as long as they're for something specific - in this case it looks like WebRTC might be allowed so they "munge" the cookie in:
The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
reply
33 sats \ 2 replies \ @xz 20h
If not installing the Meta apps, it is the same if you log in through a mobile browser, it tracks your browsing, right? So, either way, they track your browsing history.
Is the only way to sandbox these mobile platforms to never log-in?
reply
0 sats \ 1 reply \ @k00b OP 20h
yes
reply
0 sats \ 0 replies \ @xz 20h
Thanks. Just wanted to be sure of that.
I don't know what good a ten percent fine will do every user, but I guess at least it'll force Meta to re-engineer their surveillance stack.
reply
55 sats \ 0 replies \ @SimpleStacker 16 Jun
I couldn't really understand how it works, but I did understand that Meta is full of assholes
reply
10 sats \ 0 replies \ @teemupleb 9h
Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.
iPhone users marked safe from Meta’s attack.
reply
21 sats \ 3 replies \ @kepford 16 Jun
Its pretty interesting how this works
reply
143 sats \ 2 replies \ @k00b OP 16 Jun
Yep, so clever that it's simple.
reply
138 sats \ 1 reply \ @kepford 16 Jun
Brave browser does prevent this by default, at least this is my understanding. It does seem like a good browser security default would be to block remote sites from calling localhost. I am sure there are sites this would break but it could warn you that a site attempted this and allow you to allow it.
reply
0 sats \ 0 replies \ @optimism 14h
I was gearing up to test this when i made an addressing error. Turns out it even blocks "cross-site" from http://127.0.0.1 to http://localhost from the same tcp port.
reply
50 sats \ 0 replies \ @WeAreAllSatoshi 16 Jun
Ugh they're just the worst
reply
105 sats \ 6 replies \ @398ja 16 Jun
Is WhatsApp safe?
Asking for a friend...
reply
147 sats \ 0 replies \ @k00b OP 20h
use signal?
reply
100 sats \ 4 replies \ @optimism 15h
In general? No. Listen to @k00b and switch to signal.
Regarding this particular issue, I tried whatsapp on an avm the day the method was exposed but didn't find it to have these listening ports. However, they removed the feature within 24h after exposure so I may have been too late.
reply
200 sats \ 1 reply \ @398ja 4h
🤔
reply
75 sats \ 0 replies \ @optimism 4h
Correct. This has been known for years. Here's a reddit post from 5 years ago.
https://old.reddit.com/r/signal/comments/kslslw/data_collection_comparison_of_signal_imessage/
Image:
reply
100 sats \ 0 replies \ @kepford 9h
Its interesting that I've been hearing radio commercials for Whatsapp lately. Anyone that trusts Meta is a fool. I'm not saying anyone that uses anything they own is a fool but you better know what you are dealing with.
reply
100 sats \ 0 replies \ @398ja 15h
I'm so happy I've been off these platforms for almost a decade, though I still much depend on WhatsApp... Signal is definitely the way.
Thank you!
reply