Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
1 min read
Summary
Researchers have found that Facebook owner Meta and Russian search engine Yandex are exploiting web protocols to de-anonymise users.
Meta and Yandex embed trackers in millions of websites which covertly send unique identifiers to corresponding mobile apps, allowing the companies to tie user browsing history to their app activity.
This means they are able to bypass Android’s operating system and browser protections such as Android sandboxing, partitioning and storage partitioning.
While Google is investigating the practice, dubbed a “fundamental security violation”, Yandex began its exploitation in 2017 and Meta started in September 2021.
The companies can pass identifiers between browsers and Android apps for Facebook, Instagram and various Yandex apps, tying the vast browsing history to the account holder.
