Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Meta is known for not taking the privacy of people seriously. It wants to track people and sell the data at all costs. This post is about a mechanism for tracking on Android that bypassed the sandbox restrictions to link what you do in the browser with your real identity even if you never logged into your account.

The Meta Pixel is a piece of code to measure the effectiveness of advertising. This is on many, many websites that help track individual users. The Facebook app runs in the background once opened on Android. It opens a listener on a TCP or UDP port on the device. This is not that abnormal for an app to do.

The combination of the two above is what causes the issue. When you visit a website that has the Facebook pixel on Android, it will attempt to connect to this port. In particular, it will send the _fbp cookie limited to a particular session. Based upon this cookie, Facebook knows what website this was linked to. Once it's sent to the user app, it now knows who was visiting the site!

What's crazy about this is that you could be on a VPN or incognito mode and it still can track you. This has been coined localhost tracking. The captured data includes browsing history, products, registrations on websites and more. The author estimates that fines will be around 164 billion, which is an insane amount.

The localhost tracking is an interesting technique! It's sad that this was found in the wild though.