Covert Web-to-App Tracking via Localhost on Android

https://localmess.github.io/

261•todsacerdoti•6mo ago

Comments

fsflover•6mo ago

metadat•6mo ago

Thanks! Macro-expanded:

Meta and Yandex are de-anonymizing Android users' web browsing identifiers - https://news.ycombinator.com/item?id=44169115 (4 hours ago, 126 comments)

tomhow•6mo ago

Comments moved thither. Thanks!

matthberg•6mo ago

A comment I wrote in another HN thread [0] (though this one was the original):

Web apps talking to LAN resources is an attack vector which is surprisingly still left wide open by browsers these days. uBlock Origin has a filter list that prevents this called "Block Outsider Intrusion into LAN" under the "Privacy" filters [1], but it isn't enabled on a fresh install, it has to be opted into explicitly. It also has some built-in exemptions (visible in [1]) for domains like `figma.com` or `pcsupport.lenovo.com`.

There are some semi-legitimate uses, like Discord using it to check if the app is installed by scanning some high-number ports (6463-6472), but mainly it's used for fingerprinting by malicious actors like shown in the article.

Ebay for example uses port-scanning via a LexisNexis script for fingerprinting (they did in 2020 at least, unsure if they still do), allegedly for fraud prevention reasons [2].

I've contributed some to a cool Firefox extension called Port Authority [3][4] that's explicitly for blocking LAN intruding web requests that shows the portscan attempts it blocks. You can get practically the same results from just the uBlock Origin filter list, but I find it interesting to see blocked attempts at a more granular level too.

That said, both uBlock and Port Authority use WebExtensions' `webRequest` [5] API for filtering HTTP[S]/WS[S] requests. I'm unsure as to how the arcane webRTC tricks mentioned specifically relate to requests exposed to this API; it's possible they might circumvent the reach of available WebExtensions blocking methods, which wouldn't be good.

0: https://news.ycombinator.com/item?id=44170126

1: https://github.com/uBlockOrigin/uAssets/blob/master/filters/...

2: https://nullsweep.com/why-is-this-website-port-scanning-me/

3: https://addons.mozilla.org/firefox/addon/port-authority

4: https://github.com/ACK-J/Port_Authority

5: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

JimDabell•6mo ago

(Also posted this in the other thread: https://news.ycombinator.com/item?id=44170351)

There is a specification for blocking this:

https://wicg.github.io/private-network-access/

It gained support from WebKit:

https://github.com/WebKit/standards-positions/issues/163

…and Mozilla:

https://github.com/mozilla/standards-positions/issues/143

…and it was trialled in Blink:

https://developer.chrome.com/blog/private-network-access-upd...

Unfortunately, it’s now on hold due to compatibility problems:

https://developer.chrome.com/blog/pna-on-hold

Get found where people search today

Show HN: An early-warning system for SaaS churn (not another dashboard)

Tell HN: Musk has never *tweeted* a guess for real identity of Satoshi Nakamoto

A Practical Approach to Verifying Code at Scale

Show HN: macOS tool to restore window layouts

30 Years of <Br> Tags

Kyoto

Decision Support System for Wind Farm Maintenance Using Robotic Agents

Show HN: X-AnyLabeling – An open-source multimodal annotation ecosystem for CV

Penpot Docker Extension

Company Thinks It Can Power AI Data Centers with Supersonic Jet Engines

If AIs can feel pain, what is our responsibility towards them?

Elon Musk's xAI Sues Apple and OpenAI over App Store Drama

Ask HN: Build it yourself SWE blogs?

Original Apollo 11 Guidance Computer source code

How Did the CIA Lose Nuclear Device?

Is vibe coding the new gateway to technical debt?

Why Rust for Embedded Systems? (and Why I'm Teaching Robotics with It)

EU: Protecting children without the privacy nightmare of Digital IDs

Using E2E Tests as Documentation

Apple Welcome Screen: iWeb

Accessible Perceptual Contrast Algorithm (APCA) in a Nutshell

AI agent finds more security flaws than human hackers at Stanford

Nano banana prompts, updates everyday

Skills vs. Dynamic MCP Loadouts

Top validated AI-SaaS Ideas are available here

UnmaskIP: A Clean, Ad-Free IP and Deep Packet Leak Checker

PydanticAI-DeepAgents – AI Agent Framework planning, filesystem, and subagents

DeepCSIM – Detect duplicate and similar code using AST analysis

Chip‐8 Technical Reference