Meta was secretly tracking browsing history even with VPN use: What’s going on?

Meta is once again under scrutiny after researchers uncovered a serious privacy breach involving Facebook and Instagram apps on Android devices. Even when users employed VPNs or incognito mode, the company was still able to track their web browsing history without consent, prompting outrage and renewed concerns about digital surveillance.

Apps exploited local ports to bypass Android privacy protections

The discovery was made by Günes Acar, a privacy expert at Radboud University, during a lecture on web tracking. Unexpected local port activity led to the revelation that Facebook and Instagram apps were silently listening on users’ local ports, collecting data from their web activity. When cross-checked with Narseo Vallina-Rodríguez from Imdea Networks, the findings confirmed that Meta was linking web sessions with identity cookies, effectively bypassing Android’s privacy safeguards.

Meta Pixel and identity cookies exposed users’ real activity

At the heart of this tracking system was Meta Pixel—a small piece of code embedded in websites that, when combined with an active Facebook or Instagram session, could tie anonymous browsing data to a real user profile. This allowed Meta to collect detailed logs including visited pages, search actions, and even online purchases, all routed directly to its servers.

Meta disables the feature after backlash

After the findings were made public, Meta confirmed that it disabled the tracking mechanism, which had been in place since September 2024. The vulnerability affected major Android browsers like Chrome, Firefox, DuckDuckGo, and Edge, pushing browser developers like Google and Mozilla to prepare security patches. Meta is reportedly in discussions with Google to clarify the enforcement of its app policies.