Meta and Yandex’s ‘Local Mess’ Exploit Seemingly Only Works on Android

Researchers have discovered a privacy exploit, dubbed "Local Mess," that allows Meta Pixel and Yandex Metrica to track Android users' web browsing habits, even in private browsing modes. This exploit takes advantage of the platform's permissive design, which allows apps to monitor local ports and link pseudonymous web identities with actual user identities. The researchers believe it may be technically feasible to target iOS users as well, but so far, the abuse has only been observed on iOS. Android's lack of controls on local host communications and background executions of mobile apps makes it vulnerable to such abuses. In contrast, iOS has stricter app store vetting and imposes more controls on local host communications. Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns, and they are estimated to be installed on 5.8 million and 3 million sites, respectively. Every site that includes these tracking scripts is complicit in the theft of hundreds of millions of Android users' web browsing privacy. The European Commission has demanded that iOS allow third-party apps to run unfettered in the background, which could potentially open up iOS to similar privacy exploits. Apple has expressed concerns that Meta's requests for interoperability could compromise user privacy and security.