You just can't finish off Zuckerberg.

cross-posted from: https://piefed.social/post/897462

“Meta devised an ingenious system (“localhost tracking”) that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session.”

  • Septimaeus@infosec.pubEnglish
    12·
    2 days ago

    Really curious how Android sandboxing was so easily defeated. Were those ports left open for extensions or something? I need to read up on this exploit. It’s so brazen, but also shouldn’t be possible. 8 years of stolen data. Wild.

    • Septimaeus@infosec.pubEnglish
      7·
      2 days ago

      Update: apparently it’s worse than I expected.

      Access to localhost is simply not restricted by the OS at all. Inter-app communication via localhost is unregulated, even within a browser runtime “sandbox” (not a true sandbox apparently).

      The only reason Brave wasn’t affected is that it required additional user permission for localhost access, so the tracking script halts in that browser to avoid detection.

      The reason this is worse is that it means not only can a browser tab “talk” to local apps through specific ports, it can use any port, can talk to other browser tabs, and apps can share data with each other without restriction. If I’m understanding the scope of this loophole, it’s a glaring vulnerability that’s been there from the beginning, and it’s unlikely Meta is the only company to exploit it.

      ETA: this is what I gathered from reading the paper. I still need to do my own testing to confirm. In the meantime if anyone knows more feel free to correct any of the above.