"UPDATE: As of June 3rd 7:45 CEST, Meta/Facebook Pixel script is no longer sending any packets or requests to localhost. The code responsible for sending the _fbp cookie has been almost completely removed."
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.
Hopefully not too late to make it into the lawsuit. Assholes.
I sure hope there's a lawsuit. Over the last ten years, I've gotten over $2,000 in lawsuit settlement checks from Meta, alone.
I have a savings account at one of my banks that I use just for these settlement checks. Sometimes they're just $5. Sometimes they're a lot more. I think the most I ever got was around $500.
It's a little bit here, and a little bit there, but at the rate it's going, in another five years, I'll be able to buy a car with privacy violation money.
As someone who works for a similar large org, it's just as likely that some low level programmer put it in without much thought, and then this got surfaces to higher up people who didn't know about it and told them to remove it immediately.
It seems incredibly unlikely a low level programmer could come up with this method then get the necessary code into both the tracking pixel served to third party sites and Meta's android apps without some higher ups knowing about it.
Zuckerberg personally signed off on torrenting books for Llama. It would be a particularly dim group of “low level” programmers who did this without trying to first secure some upper level approvals to share the blame once caught.
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
And people on HN dismiss those who choose to browse with Javascript disabled.
There's a reason that the Javascript toggle is listed under the Security tab on Safari.
These companies have demonstrated repeatedly that fines are just the cost of doing business. Doesn't matter if you charge them $1 million or $1 billion. They have still made significantly more than that from the crime.
I'm surprised they're allowed to listen on UDP ports, IIRC this requires special permissions?
> The Meta (Facebook) Pixel JavaScript, when loaded in an Android mobile web browser, transmits the first-party _fbp cookie using WebRTC to UDP ports 12580–12585 to any app on the device that is listening on those ports.
Borders on criminal behavior.
Apparently this was a European team of researchers, which would mean that Meta very likely breached the GDPR and ePrivacy Directive. Let's hope this gets very expensive for Meta.