Meta and Yandex break security to save their business model

In June 2025, a team of researchers exposed how Meta and Yandex abused Android and browser-specific tools to track users outside of their application and collect associated data. The technique used to achieve this was truly innovative, and akin to malware behaviour. It exploited protocols to break the isolation between apps and browser, a fundamental security concept meant to protect users. This allowed these companies to tie the browsing history of individuals with their accounts on the company’s services, as long as their apps were running in the background.

While it’s astounding that Yandex, the big Russian Tech company that is often referred to as “Russia’s Google”, and Meta would resort to such tactics to track users, this discovery indicates that industry prioritises exploitation over protection. Our take is that it illustrates two truths about online advertising that should act as a wake up call for policy-makers, regulators and users:

1. Major tech companies are so unconcerned about users’ privacy, and the risk of regulation, that they dare to implement malicious techniques to further extend their collection of users’ personal data
2. The surveillance advertising paradigm is inherently incompatible with privacy and incentivises abusive practices.

Let’s dive into how this attack worked and these two truths.

The Localhost attack: exploiting security for profit

The so-called “localhost” attack relied on a chain of techniques that eventually enabled both companies to do something that they were not supposed to be able to do: each company could share data collected by their tracking pixel on websites, visited through a browser, with their own apps installed on the same device. This technique, which Yandex began in 2017 and Meta started in September 2024, deliberately bypassed sandboxing, a security measure that prevents web browsers from exchanging information with apps locally installed on a users’ device. This was likely in breach of Google's Play Store policy on the behaviours of apps.

Put simply, when a user visits a company's website that embeds a tracking pixel, some data is shared with the company including through a unique identifier. This pixel can be used to track the user across other websites. For instance, the researchers noted that over 5.8 million websites use the Facebook pixel. Normally, sandboxing limits how much the company can extrapolate from this data, and prevents it from linking website visits with other activities on the device, e.g. activities on an app. So the desired (and expected) behaviour is that data about browser activities on the company's website and, importantly, other websites where the company can track activities, is separated from the company's app connection, and all other such connections on the device.

The localhost technique allowed Meta and Yandex to share users’ browsing history with their apps. This effectively allowed Meta to link this data to users’ Facebook or Instagram accounts, and Yandex with its Search, Maps and Yandex Go (taxi and food delivery) users, enabling re-identification and breaking pseudo-anonymisation of data. In the case of Meta, while the sharing seemed to only happen with these two apps, nothing prevented them from also sharing it with WhatsApp - a concerning thought as the company recently announced the arrival of ads on the messaging platform.

It’s worth noting that Meta offers some settings in its Privacy Center about off-Meta activity. Depending on those settings and your browser third-party cookies settings, if you’re logged into a Meta service in the browser while visiting other sites, more data might be shared with Meta allowing the company to link your profile to this activity. This could happen on a smartphone or computer. The issue in the case of the “localhost” attack is that users likely do not expect the things they do in one app (the browser) to be communicated with another (Facebook or Instagram).

This attack brings up two interesting points. First, it can be considered an attack because it maliciously and intentionally breaks security principles that seek to prevent one app from accessing data from another app. This is effectively a means to leak data by exploiting tools not meant for data sharing. Second, because of the nature of the attack, the data could have been intercepted and collected by any other app. The research demonstrates this for Yandex, through a specially-developed app that exploits the attack to capture data from the browser when visiting sites that embed Yandex Metrica, the company’s tracking pixel.

Not sorry for tracking by design

With regards to the Localhost attack, Meta removed the code enabling it on the day the research was released, without offering an explanation or apology. They only engaged discussion with Google (as this exploit was likely in breach of the Play Store terms of service) “to address a potential miscommunication regarding the application of their policies”, leaving the two biggest advertising companies to deal with the issue behind closed doors.

In the case of Meta, the sixth most valuable company in the world and one of the largest advertising companies, this attack is the latest in a long history of privacy violations. Back in 2018, we exposed how the company was leaking data from apps as soon as they were opened, prior to any consent, and in some case including very sensitive information. The company has also been fined multiple times by regulators.

For Yandex, a 2023 leak of the company’s codebase revealed how intrusive its analytics and tracking products were, pulling together data from different services to create household profiles and predict users interests (a practice unfortunately too common with AdTech companies). The data collected went above what users would reasonably expect, including collection of nearby wifi access points, precise location, speed of travelling, and the code showed attempts to consolidate this data under unique profiles associated with user accounts.

The larger (industry) picture

If anything, this new attack hints at how far tech companies are willing to go track users: breaking security principles and innovating to do so. Yet, this attitude also reflects a broader issue with how the online advertising ecosystem functions.

A 2024 staff report by the US Federal Trade Commission of social media services described how the industry is “at the forefront of building the infrastructure for mass commercial surveillance”, with some firms having “unique access to information about our likes and dislikes, our relationships, our religious faiths, our medical conditions, and every other facet of our behavior, at all times and across multiple devices”, and “they did so in ways consumers might not expect.”

And there’s a wide variety of exploitative tactics industry can avail itself to when it comes to consent, including: dark patterns (notably in consent banners), domain cloaking (circumventing blocking of third party cookies), privacy invasive defaults, and much more.

In our own research we found similar behaviours from 139 top mental health websites. In 2019 we looked at online tracking of users visiting mental health websites. We found that over 75% of websites contained third-party tracking for marketing purposes, many of which used Facebook’s (and Google's) tracking services.

With this picture in mind, it’s easy to see how Meta’s and Yandex’s behaviours are a reflection of the broader surveillance advertising ecosystem at large. In our experience, it betrays an attitude that drives them to always seek more data, no matter the cost or ethics.

But the internet doesn’t have to be this way. Advertising doesn’t have to be invasive to function. It is technically possible to run online advertising without the need for an immense surveillance industry to feed it, for example with contextual advertising, where only contextual data is used to display ads as opposed to your monitoring your browsing history.

How to prevent racing to the bottom

If there is one thing this story should teach us, the industry will try to get away with bad behaviours even if it compromises fundamental privacy and security safeguards. Industry will forever be tempted to outcompete each other to generate more data on us all. We believe that the only way to stop this madness is to ban surveillance advertising.

Fundamental tech safeguards are essential, clearly, as good practice is not enough. Safeguards like Apple’s Anti-Tracking Protection on their operating systems is a helpful and important step, though a similar safeguard is missing on Google’s Android. Meanwhile, Google recently killed its Privacy Sandbox initiative.

This is why it’s essential that strong legal protections exist too. We can’t wait for industry to take action that meaningfully hinders their money making machine. Stronger regulatory action against surveillance advertising is needed. 

Finally, this attack also a stark reminder that Big Tech companies do not deserve our trust. At a time where these corporations are building and imposing AI tools that capture more personal data than ever, the willingness of Meta and Yandex to break security principles for the purpose of user tracking is a sign that privacy and security will always be second to profit. This should be a wake up call for policy-makers and users. We encourage you to check our guides to take steps to protect yourself online tracking. We suggest we all continue our moves away from these firms altogether and enter the fediverse. After all, we deserve better than this continuous stream of transgressions.