Covert Web-to-App Tracking via Localhost on Android

https://localmess.github.io/

261•todsacerdoti•8mo ago

Comments

fsflover•8mo ago

metadat•8mo ago

Thanks! Macro-expanded:

Meta and Yandex are de-anonymizing Android users' web browsing identifiers - https://news.ycombinator.com/item?id=44169115 (4 hours ago, 126 comments)

tomhow•8mo ago

Comments moved thither. Thanks!

matthberg•8mo ago

A comment I wrote in another HN thread [0] (though this one was the original):

Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.

There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.

Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].

I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.

That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.

0: https://news.ycombinator.com/item?id=44170126

1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...

2: https://nullsweep.com/why-is-this-website-port-scanning-me/

3: https://addons.mozilla.org/firefox/addon/port-authority

4: https://github.com/ACK-J/Port_Authority

5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

JimDabell•8mo ago

(Also posted this in the other thread: https://news.ycombinator.com/item?id=44170351)

There is a specification for blocking this:

https://wicg.github.io/private-network-access/

It gained support from WebKit:

https://github.com/WebKit/standards-positions/issues/163

…and Mozilla:

https://github.com/mozilla/standards-positions/issues/143

…and it was trialled in Blink:

https://developer.chrome.com/blog/private-network-access-upd...

Unfortunately, it’s now on hold due to compatibility problems:

https://developer.chrome.com/blog/pna-on-hold

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

NASA now allowing astronauts to bring their smartphones on space missions

Claude Code Is the Inflection Point

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

AI Agent Automates Google Stock Analysis from Financial Reports

Voxtral Realtime 4B Pure C Implementation

I Was Trapped in Chinese Mafia Crypto Slavery [video]

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

Show HN: I built a free UCP checker – see if AI agents can find your store

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

Study of 150 developers shows AI generated code no harder to maintain long term

Spotify now requires premium accounts for developer mode API access

When Albert Einstein Moved to Princeton

Agents.md as a Dark Signal

System time, clocks, and their syncing in macOS

McCLIM and 7GUIs – Part 1: The Counter

So whats the next word, then? Almost-no-math intro to transformer models