You know how companies say they care about your privacy? Well, that flew out the window when researchers uncovered a hidden tracking method used by Facebook (Meta) and Russia’s Yandex. They weren’t just collecting cookies or tracking pixels.

They were doing something a lot sneakier.

Steve Gibson of the legendary research and software firm GRC.com did a deep dive on this on a recent episode of the Security Now podcast regarding a recent report.

The report was compiled by a research team called Local Mess, comprising experts from IMDEA Networks, Radboud University, and KU Leuven. Their investigation explains how apps like Facebook, Instagram, and Yandex secretly establish hidden connections on your device and utilize web technologies to collect tracking data, such as cookies, without your knowledge.

You can jump to the deep dive in the episode here. But be warned: they get fairly technical.

Here’s What They Did

Apps like Facebook, Instagram, and Yandex Maps were quietly waiting in the background on your phone, ready to receive messages. When you visit a website that uses their tracking code, like a Facebook ad or Like button, the code on that site sends a message straight to the app on your phone.

This lets the app link your web activity to your Facebook account, even if you thought you were browsing privately.

That allowed them to bypass all the normal privacy protections, such as Incognito mode, clearing cookies, or even the tracking prevention built into your browser.

They could link what you were doing in your browser to your identity in the app, even across different websites. This isn’t theoretical. It was silently working on millions of Android devices and potentially across other platforms.

According to Steve, “this method effectively allows these organizations to link mobile browsing sessions and web cookies to real-world user identities. This web-to-app ID sharing method bypasses all typical privacy protections such as clearing cookies, Incognito mode, and all of Android's permission controls.”

Why This Is So Dangerous

It’s not just Meta and Yandex who could use this trick. Once one app opens a local port to listen, any other app on your device could tap into that same connection and spy on where you're going online.

Not only were you being tracked by design, but the whole setup also made it easier for malicious apps to piggyback on that connection and harvest your browsing history as well.

Even Private Browsing Wasn’t Safe

Researchers confirmed this worked in both regular and private/incognito modes in Chrome, Firefox, and Edge. The only browsers that offered any protection were Brave, and, to a lesser degree, DuckDuckGo.

This means you could clear cookies, use a VPN, go incognito, and still be tracked because of how these apps secretly talk to your browser through your own device.

Meta and Yandex Shut It Down, But Only After Getting Caught

The moment researchers published their findings, Meta pulled the plug on the JavaScript used for this tracking. That alone tells you they knew what they were doing was wrong.

“They got caught bypassing all user choice and anti-tracking browser enforcement and immediately turned [this hack] off,” said Steve.

But here's the thing: the apps (Facebook and Instagram) are still set up to listen for these connections. That part didn’t change.

So, while the tracking code isn’t active now, the infrastructure is still in place and could be reactivated or reused in a different way down the road.

Steve was also quick to point out that “Meta and Yandex are both abusing this deliberate and formally supported ability of web browsers, and there’s no obvious way any user can know this is going on, let alone prevent it.”

What Can You Do About It?

The only real fix right now is to uninstall these apps from your phone. That’s the only way to stop them from opening those backdoor connections.

Browsers are now starting to patch this behavior, but it’s slow and complicated. And even if Meta and Yandex say they’ve stopped, it’s worth asking: if they did it once without telling us, why wouldn’t they do it again?

Final Thoughts

This wasn’t a bug. It was deliberate and designed to get around your choices and your browser’s protections.

“This entire surreptitious surveillance system was specifically designed to explicitly and deliberately bypass not only all user expressible anti-tracking wishes, but also to circumvent all of the work the browser vendors have invested in,” said Steve.

Meta and Yandex wanted to link your anonymous browsing to your real identity, and they figured out a clever way to do it without your consent.

Now that it’s been exposed, it’s up to us to hold them accountable and rethink what apps we trust on our devices.

This post is exclusive to paid subscribers. Thank you for supporting my work! I literally can’t do this without you!