Meta is under fire once again following a major privacy breach involving its Facebook and Instagram apps on Android devices. Researchers have uncovered that the company was able to track users’ web browsing history even when they used VPNs or incognito mode, sparking outrage and renewed concerns over digital surveillance.
Exploiting Local Ports to Bypass Privacy Protections
The alarming discovery was made by privacy expert Günes Acar from Radboud University during a lecture on web tracking. Acar noticed unexpected local port activity, which led to the revelation that Facebook and Instagram apps were silently listening to users’ local ports and gathering data from their web activity. Collaborating with Narseo Vallina-Rodríguez from Imdea Networks, Acar confirmed that Meta was circumventing Android’s privacy protections by linking web sessions with identity cookies.
Meta Pixel and Identity Cookies Reveal Real User Activity
The core of the tracking system involved Meta Pixel, a small piece of code embedded in websites. When users were logged into Facebook or Instagram, Meta Pixel allowed the company to associate browsing data—such as visited pages, search queries, and even online purchases—with a real user profile. This meant that Meta could track detailed user activity, sending all the data directly to its servers.
Meta Disables Tracking Feature Amid Backlash
After the findings were made public, Meta responded by disabling the tracking feature, which had been active since September 2024. The breach affected major Android browsers such as Chrome, Firefox, DuckDuckGo, and Edge. In response, browser developers, including Google and Mozilla, have begun preparing security patches. Meta is also in talks with Google to address the enforcement of its app policies and ensure future compliance with privacy standards.
Ongoing Concerns Over Digital Privacy
The incident has reignited concerns over digital privacy and the growing issue of unchecked surveillance. Despite Meta’s attempt to disable the feature, the breach raises significant questions about the company’s data collection practices and the extent of its tracking capabilities.
