You just can't finish off Zuckerberg.

cross-posted from: https://piefed.social/post/897462

“Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.”

  • NickwithaC@lemmy.world
    English
    5·
    21 hours ago

    I’m so glad I’ve never installed any of meta’s apps and never used any of their services and never will.

    I bet they’re doing this with WhatsApp too. The “privacy” focussed messenger service. I just wish there was a way to get everyone I know to stop living in it like a fish in water.

    • hauiOPMAEnglish
      2·
      21 hours ago

      You wont like the rest I have to tell you. The problem isnt whatsapp. Its the system. Its needs to go.

      • NickwithaC@lemmy.world
        English
        3·
        21 hours ago

        It’s an exploit in android, yes. But it’s meta who found it and instead of responsibly reporting it they took advantage. A parasitic move from a company that shouldn’t exist.

        • hauiOPMAEnglish
          2·
          21 hours ago

          No, sorry. Not the operating system. At least not that of the phone. The other system.

  • Septimaeus@infosec.pubEnglish
    12·
    1 day ago

    Really curious how Android sandboxing was so easily defeated. Were those ports left open for extensions or something? I need to read up on this exploit. It’s so brazen, but also shouldn’t be possible. 8 years of stolen data. Wild.

    • Septimaeus@infosec.pubEnglish
      7·
      1 day ago

      Update: apparently it’s worse than I expected.

      Access to localhost is simply not restricted by the OS at all. Inter-app communication via localhost is unregulated, even within a browser runtime “sandbox” (not a true sandbox apparently).

      The only reason Brave wasn’t affected is that it required additional user permission for localhost access, so the tracking script halts in that browser to avoid detection.

      The reason this is worse is that it means not only can a browser tab “talk” to local apps through specific ports, it can use any port, can talk to other browser tabs, and apps can share data with each other without restriction. If I’m understanding the scope of this loophole, it’s a glaring vulnerability that’s been there from the beginning, and it’s unlikely Meta is the only company to exploit it.

      ETA: this is what I gathered from reading the paper. I still need to do my own testing to confirm. In the meantime if anyone knows more feel free to correct any of the above.