Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it’s investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.

      • Lv_InSaNe_vL@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Yeah it makes me laugh when people talk about “don’t use cookies” or “block ads” like companies didn’t switch to more advanced techniques (like hell, I saw a paper where they could fingerprint you just simply by how you interact with the webpage) 15 years ago.

        There is no way to use the modern web without getting fingerprinted.

        • ayyy@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          5 months ago

          Well “block ads” is also shorthand for “block as many 3rd-party requests as possible while maintaining the desired content” which absolutely improves your privacy and prevents a lot of fingerprinting scripts from ever loading.

          • Lv_InSaNe_vL@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            That’s the thing though, websites have gone away from “fingerprinting scripts” and have started finger printing you by what you serve, how and when you access it, and other things that they can all collect purely on the server side. The rest is just for advertising and data collection for improvements.

            • LainTrain@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              All of this is far easier to subvert than tracking scripts (and cookies and port scans) which literally as evidenced by the article in the OP are not techniques that companies have “gone away” from at all, at least not by entirely replacing them.