HAPPENING!!!!
>We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.
https://localmess.github.io/
i wanna say this is old new by now gwarser made rules to defeat this activity, theres port authority for firefox, chrome implemented block insecure private networks, etc. it is funny that facebook and yandex were still getting away with it i guess.
>>105566037 (OP)Do people still use facebook?
pepe-003
md5: ca33e12cec5b0213ac37be63562c3cc6
🔍
>>105566037 (OP)im too stoopid to understand what this means
Oh no, yandex-image-search-enjoyers bros...
I posted about this weeks ago and my thread was invaded by facebook shill bots trying to falseflag as anti-brave tinkertroons
Do people seriously run native apps?
The browser is right there.
>>105570907They make websites intentionally work like shit on mobile browsers and then perma spam you with banners PLS USE OUR APP SAAR
Do people under 60 still use facebook?
>>105571229reddit is the worst for this
>>105566037 (OP)what are they listening TO? Or do they just harvest everything?
This is not good. We need to make offtopic threads to slide this post into the archives.
>Using HTTP requests for web-to-native ID sharing (i.e. not WebRTC STUN or TURN) may expose users browsing history to third-parties. A malicious third-party Android application that also listens on the aforementioned ports can intercept the HTTP requests sent by the Yandex Metrica script and the first, now-unused, implementation of Meta’s communication channel by monitoring the Origin HTTP header.
>We developed a proof-of-concept app to demonstrate the feasibility of this browsing history harvesting by a malicious third-party app. We found that browsers such as Chrome, Firefox and Edge are susceptible to this form of browsing history leakage in both default and private browsing modes. Brave browser was unaffected by this issue due to their blocklist and the blocking of requests to the localhost; and DuckDuckGo was only minimally affected due to missing domains in their blocklist.
Bravejeet W
Does uBlock's Block Outsider Intruder into LAN prevent this?
>the Yandex Metrica script transmits data via HTTPS to local ports 29010 and 30103
how can it do HTTPS? to make a request, the browser must deem the certificate valid
do browsers just skip certificate verification for localhost?
>or the the yandexmetrica[.]com domain, which resolves to 127.0.0.1.
I can't see this working over HTTPS though, unless they bundle the private keys for a real cert with their apps
