Do we know how these apps were able to track browser activity? The only clues I see in the article are that it was on a per-website basis, and that it worked in incognito mode.
I'm especially curious if Google shares any of the blame. Was this a known issue and they assumed no one would actually exploit it, or a subtle bug that only just got caught? Either way it's a huge security vulnerability.
Using analytics scripts that website owners injected into the page. It's just that rather than uploading the collected data to facebook.com the script sent it to localhost:5678, and the Facebook app was listening on that port.
> Do we know how these apps were able to track browser activity? The only clues I see in the article are that it was on a per-website basis, and that it worked in incognito mode.
The App listens on localhost:xxyyzz when backgrounded. You open your browser and go to onesite.com and then differentsite.com the ID you are known as on those two sites is transmitted by having the JS on each site that supports Facebook functionality / ads etc for that site, and runs in your browser, make a request for an asset on your localhost with args <your ID on that website>. The app gets the args, and sends it off to HQ. That ties your signed-in account on the app to your activity on all the websites that was using this. And to be clear, FB Pixel calls are tagged with the 'event' that you're doing like "checkout" "just looking" "donate" etc. While I don't know for sure, I'd assume that the fact you're in Incognito Mode is just an aspect of the data report, I would say. Nothing would stop it.
I'm especially curious if Google shares any of the blame. Was this a known issue and they assumed no one would actually exploit it, or a subtle bug that only just got caught? Either way it's a huge security vulnerability.