Meta Pauses Android Localhost Tracking After Researcher Disclosure

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The Localmess research team began investigating localhost-based tracking after observing unusual network behavior in Android applications. Their analysis, conducted over several months, identified that Meta's Facebook and Instagram apps register local network listeners during installation.

When a user visits a website containing the Meta Pixel, the tracking code attempts to establish a connection to localhost ports. If successful, the code transmits the _fbp cookie, which contains a unique identifier tied to the user's browser. The Meta apps receive this data and can correlate it with the user's Facebook or Instagram account, even if the user has not logged into those services in their browser.

The researchers documented the technical mechanism in detail. The Meta Pixel uses WebRTC STUN requests, which are typically used for peer-to-peer connection establishment, to probe localhost addresses. By manipulating the SDP data within these requests, the tracking code encodes the _fbp cookie value. The local app listener decodes this information and associates it with the device.

Meta acknowledged the research on June 3, 2025, at 7:45 CEST, according to The Register. A Meta spokesperson stated that the company had paused the feature while conducting an internal review. The spokesperson did not provide a timeline for when or whether the feature would be reactivated.

Yandex, which the researchers identified as using a similar technique, had not issued a public statement at the time of reporting.

The research team made several technical claims supported by their analysis:

The localhost listening behavior is present in Meta's Facebook and Instagram apps across multiple Android versions. The researchers verified this by examining network traffic and app behavior on devices running Android 11 through Android 14.

The tracking technique bypasses browser privacy protections by operating outside the browser's control. Incognito Mode prevents websites from accessing stored cookies, but it does not prevent WebRTC connections to localhost. Cookie clearing removes browser-stored identifiers but does not affect the _fbp value transmitted through the localhost channel.

The mechanism does not require any Android permissions beyond network access, which is granted by default to most applications. Users receive no notification or prompt when the tracking occurs.

The researchers tested the technique across Chrome, Firefox, Samsung Internet, and Brave browsers on Android. All browsers permitted the localhost connections at the time of testing.

The _fbp cookie transmitted through this channel contains a timestamp and a random identifier. When correlated with Meta's server-side data, this identifier can link browsing activity to a specific user account.

Figure 2: How the authentication bypass vulnerability works

The disclosure provides browser vendors with specific technical details needed to implement mitigations. Google's Chrome 137 field trial and Mozilla's planned Firefox 139 changes represent direct responses to the research.

Security researchers and privacy advocates gain a documented example of localhost-based tracking, which may inform future investigations into similar techniques. The research methodology, including the use of network traffic analysis and app reverse engineering, provides a template for examining other applications.

Users who were previously unaware of this tracking vector can now make informed decisions about which applications to install on their devices. Removing Meta apps from Android devices eliminates this specific tracking pathway.

The research contributes to the broader understanding of how mobile applications can interact with web browsing in ways that undermine user expectations of privacy.

The tracking technique operated for an undetermined period before disclosure. Users who had Meta apps installed during this time may have been tracked without their knowledge or consent.

Browser mitigations are not yet widely deployed. Chrome 137 was in field trial status at the time of reporting, meaning the protection was not enabled for all users. Firefox 139 had not yet been released.

The research focused on Meta and Yandex, but the underlying technique could be used by any application that registers localhost listeners. Other apps may employ similar methods that have not yet been identified.

Removing Meta apps eliminates this tracking vector but may not be practical for users who rely on these applications for communication or business purposes.

The localhost listening behavior may serve legitimate purposes in some contexts, such as enabling communication between a company's web properties and mobile apps. Distinguishing between legitimate and privacy-invasive uses requires case-by-case analysis.

Figure 3: Privilege escalation from user to SYSTEM level

The tracking mechanism exploits the localhost network interface, which allows processes on the same device to communicate with each other. When a user installs the Facebook or Instagram app on Android, the app registers listeners on specific TCP and UDP ports in the localhost address range (127.0.0.1).

Websites embedding the Meta Pixel include JavaScript code that attempts to establish WebRTC connections. WebRTC, the Web Real-Time Communication standard, is designed for peer-to-peer audio, video, and data transmission. Part of the WebRTC connection process involves STUN (Session Traversal Utilities for NAT) requests, which help peers discover their network addresses.

The Meta Pixel manipulates the SDP (Session Description Protocol) data within STUN requests to encode the _fbp cookie value. SDP is a text-based format that describes multimedia sessions. By inserting the cookie value into specific SDP fields, the tracking code can transmit data through a channel that browsers do not typically monitor or restrict.

When the STUN request reaches the localhost listener, the Meta app extracts the encoded cookie value. The app can then transmit this data to Meta's servers, where it is correlated with the user's account information.

Technical context for expert readers: The technique relies on browsers permitting WebRTC connections to localhost addresses. While browsers restrict many types of localhost access for security reasons, WebRTC STUN requests have historically been allowed because they are considered part of legitimate peer-to-peer connection establishment. The SDP munging technique exploits the flexibility of the SDP format, which allows arbitrary attribute fields that parsers typically ignore if they do not recognize them.

The disclosure raises questions about the boundaries between mobile applications and web browsing. Users may reasonably expect that their browser activity remains separate from their installed apps, particularly when using privacy features like Incognito Mode.

The technique represents an escalation in the ongoing tension between advertising technology and privacy protections. As browsers have implemented stricter cookie policies and tracking prevention, some companies have developed alternative methods to maintain cross-site tracking capabilities.

Browser vendors face pressure to address localhost-based tracking without breaking legitimate use cases. Some web applications rely on localhost communication for features like local development servers, hardware device integration, and inter-process communication.

The research may prompt regulatory scrutiny in jurisdictions with strong data protection laws. The European Union's General Data Protection Regulation (GDPR) requires explicit consent for tracking, and the technique's ability to bypass user-visible privacy controls could raise compliance questions.

Mobile platform operators, including Google for Android, may face questions about whether app store policies should address localhost listening behavior. At the time of reporting, no specific policy prohibited the technique.

Confirmed:

• Meta's Facebook and Instagram apps for Android listen on TCP ports 12387 and 12388, and UDP ports 12580 through 12591
• The Meta Pixel can transmit the _fbp cookie to these ports using WebRTC STUN with SDP munging
• The technique bypasses Incognito Mode, cookie clearing, and Android permission prompts
• Meta paused the feature on June 3, 2025, at 7:45 CEST
• Google initiated a Chrome 137 field trial to block localhost connections from web content
• Mozilla plans to address the issue in Firefox 139
• Yandex apps use a similar technique

Open Questions:

• How long has Meta used this tracking technique?
• How many users were affected?
• What data was collected and how was it used?
• Will Meta reactivate the feature after review?
• Are other major applications using similar techniques?
• When will browser mitigations reach all users?
• What is Yandex's response to the disclosure?

Browser release schedules will indicate when mitigations become widely available. Chrome 137's progression from field trial to stable release and Firefox 139's release date are key milestones.

Meta's public statements regarding the internal review will clarify whether the company considers the technique compliant with its privacy policies and applicable regulations.

Regulatory responses, particularly from European data protection authorities, may signal whether the technique raises legal concerns under GDPR or other privacy frameworks.

Security researchers may publish follow-up analyses examining other applications for similar localhost listening behavior.

Android platform updates could introduce system-level restrictions on localhost listening by third-party applications, though such changes would require careful consideration of legitimate use cases.

The Localmess research team indicated plans to present their findings at an academic venue, which would provide additional technical details and peer review of their methodology.

1. The Register - "Meta pauses localhost tracking after researcher disclosure" (June 3, 2025) - https://www.theregister.com/2025/06/03/meta_tracking_localhost/

2. Localmess Research Project - Technical Report - https://localmess.github.io/

3. Meta for Developers - Meta Pixel Documentation - https://developers.facebook.com/docs/meta-pixel/