In the middle of June 2025, a disconcerting exposure shook the digital world but also upset the broad public: Meta, via its Facebook and Instagram apps on Android, as well as several Yandex Android apps, were secretly using WebRTC - a protocol primarily designed for real-time audio and video - to spy on its users’ personal browsing habits and activities.
This disingenuous and invasive method leveraged localhost connections to circumvent privacy safeguards like incognito mode, VPNs, and cookie deletion. Popularly dubbed “Meta tracking” or “localhost tracking”, the scandal triggered widespread outrage, with unprecedented cumulative potential penalties under GDPR, DSA, and DMA reaching tens of billions of Euros.
In this article, we’ll explore: what happened, how WebRTC enabled it, secure alternatives, and how Digital Samba - although also based on the WebRTC technology - can’t. We’ll conclude with practical tips to shield yourself from such intrusions.
Table of contents
Researchers from IMDEA Networks, Radboud University, and KU Leuven uncovered that Meta’s Pixel JavaScript, embedded in millions of websites, covertly used WebRTC to transmit the browser’s _fbp cookie via localhost (127.0.0.1) UDP ports (12580–12585) to Facebook and Instagram apps that were silently listening in the background and spying on its users.
Once the apps received the cookie, they linked it to the user’s logged‑in identity and sent the combined profile to Meta’s servers. This method bypassed incognito mode, cookie deletion, and VPNs, since the data transfer occurred internally, without involving external networks or requiring permissions. Allegedly initiated in September 2024 and later switched from STUN- to TURN-based WebRTC in May 2025, the practice continued until early June, when the Meta/Facebook Pixel script stopped sending any packets or requests to localhost. Yandex likewise discontinued this misuse, and the code that transmitted the _fbp cookie has largely been removed.
The misuse of WebRTC by Meta has understandably raised alarm bells, but it’s crucial to recognise that WebRTC itself is not inherently insecure. When implemented responsibly, WebRTC remains a powerful and privacy-conscious technology for real-time communication in any use case. The problem lies not in the protocol, but in how it's deployed and monitored. Thankfully, there are platforms and developers who apply rigorous best practices to ensure that WebRTC connections are used ethically, transparently, and securely.
When used properly, measures ensure that peer-to-peer communication does not become a backdoor for surveillance or unauthorised data collection. By applying the following practices, service providers and users alike can harness the benefits of WebRTC without compromising user trust or data security:
Only allow WebRTC connections from trusted, whitelisted domains. With this practice, service providers can eliminate the risk of rogue scripts from unknown sources that attempt to initiate hidden peer connections. By restricting the scope of accepted origins, applications can significantly reduce the attack surface and prevent injection of malicious signalling. This approach is especially important in embedded environments or multi-tenant platforms where cross-site access needs to be tightly controlled.
Prevent any browser scripts from accessing local sockets unless authorised. Users can block 127.0.0.1 access by default. This will ensure that apps like Meta’s cannot receive data through hidden localhost channels. Secure configurations at both the browser and OS levels can restrict which ports are exposed to WebRTC components. Network policies, particularly in mobile operating systems, should disallow unsolicited localhost traffic between browser contexts and native apps.
Service providers can use WebSockets or HTTPS for negotiation to avoid direct localhost couplings. This makes all connection handshakes visible to security tools and prevents arbitrary endpoints from being used as signalling proxies. End-to-end encryption can also be layered on top of signalling to ensure metadata cannot be intercepted or tampered with. Secure signalling additionally enables authentication, helping to confirm that all participants are legitimate and expected.
Regular code reviews and third‑party assessments help catch misuse. Ongoing monitoring of WebRTC usage can help service providers detect abnormal behaviour patterns and enforce compliance with privacy standards. Internal security teams can develop automated tests to simulate edge cases, localhost abuse, and rogue peer injection. Third-party audits not only improve technical defences but also serve as proof of accountability and compliance for regulators and users alike.
In light of the recent Meta tracking scandal, it’s important to understand why Digital Samba is fundamentally unaffected by such exploits—and why our WebRTC implementation remains secure by design. Unlike companies that rely on loose integrations or unpredictable browser behaviours, Digital Samba controls both ends of the communication chain: the browser code that initiates the session and the server infrastructure that handles signalling and media.
Most critically, the browser environment running Digital Samba’s embedded product contains no code that sends traffic to localhost. Likewise, we do not operate any app—on Android, iOS, or desktop—that listens to localhost ports. Because we own and control both the client-side code and server-side infrastructure, there is no way to misuse Digital Samba’s platform for localhost-based spying. The architecture simply does not allow it.
To put it plainly: Digital Samba’s WebRTC cannot be hijacked for tracking because we’ve never opened that door to begin with. Our platform offers secure, privacy-focused video communication—without compromise. You can read more about our WebRTC security and privacy architecture in this article: https://www.digitalsamba.com/blog/top-10-webrtc-issues-and-how-digital-samba-solves-them
Even though Meta has paused its localhost tracking activity, similar techniques could be revived or imitated by other companies where you are required to create an account and use log in functionality. To safeguard your digital privacy, here are practical steps you can take right now to minimise your exposure to WebRTC-based surveillance:
Delete Facebook/Instagram if not in use - especially on mobile devices where WebRTC‑based tracking is possible. Even if you’re not actively using them, these apps can still operate in the background and intercept local traffic without your knowledge.
Install browsers like Brave or DuckDuckGo on Android to block trackers by default. These browsers include built-in defences against known fingerprinting and localhost exploitation techniques.
Use tools like AdGuard or uBlock Origin to block Meta Pixel and similar trackers that follow your online behaviour. Ensure these blockers are updated regularly to catch new tracking domains and WebRTC abuse vectors.
In settings, disable WebRTC or restrict it to regular signalling methods. Extensions like “WebRTC Network Limiter” or browser flags can help prevent IP leakage and stop rogue local connections.
Remove Internet access from unused or suspicious apps. You can use Android developer options or third-party permission managers to restrict socket-level access on a per-app basis.
Although not fully protective, cookie clearing and VPN usage can help reduce traditional tracking vectors. Combining these tools with local DNS filtering can significantly minimise exposure to cross-site and WebRTC-based tracking.
Follow privacy news and updates on tracking techniques to adapt your defences. Subscribing to newsletters like PrivacyGuides or using platforms like GitHub to monitor WebRTC issues can keep you ahead of new threats.
The recent Meta WebRTC scandal has shown just how easily technologies built for good can be twisted into tools of surveillance. By exploiting WebRTC to tunnel identifiers through localhost, Meta secretly linked users’ private browsing activity with their personal accounts, without consent, transparency, or accountability. While Meta and others have now halted this practice, the damage is done. This was not a bug; it was a decision. And it exposed a fundamental disregard for user privacy.
At Digital Samba, we don’t just reject this approach—we’re actively moving away from platforms that enable and normalise it. As a privacy-first company, we have decided to completely step away from Facebook, Instagram, and now also X (formerly Twitter). These platforms no longer reflect the standards we hold ourselves to. Their choices not only contradict our principles but actively undermine public trust in technologies like WebRTC—the very foundation of our product.
We refuse to be part of that problem.
Instead, we’re doubling down on what we believe in: secure, compliant, ethical real-time communication. Our WebRTC-based video conferencing software was built from the ground up to ensure user safety—without loopholes, tracking tricks, or hidden listeners. As demonstrated throughout this article, Digital Samba’s implementation protects both the user and their data, regardless of where it's embedded or who’s watching.
If you're looking for a secure WebRTC solution that respects your users and your reputation, we invite you to get in touch with our sales team for a personalised walkthrough of our product and security measures.
We also want to offer alternative ways to stay connected—on platforms that don’t monetise attention at the cost of integrity. You can find us on LinkedIn or YouTube.
Or, if you’d prefer to keep your inbox social-media-free, simply subscribe to our newsletter.
References