TY - GEN
T1 - PIIxel Leaks
T2 - 32nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2025
AU - Bekos, Paschalis
AU - Papadopoulos, Panagiotis
AU - Kourtellis, Nicolas
AU - Polychronakis, Michalis
N1 - Publisher Copyright:
© 2025 Copyright held by the owner/author(s).
PY - 2025/11/22
Y1 - 2025/11/22
N2 - Web pixels are one of the predominant techniques for tracking conversions and user behavior on the Web. The integration of Meta Pixel (the most widely used tracking pixel) into a website enables Meta to collect sensitive information about the website's visitors and match it with their Facebook or Instagram profiles. In addition to detailed navigation history, Meta Pixel also collects personally identifiable information (PII) entered by visitors in online forms present on the website, such as emails and phone numbers. In this paper, we present a scalable and comprehensive approach for measuring PII leakage through Meta Pixel by passively inspecting its core components, without the need to interact with the dynamic elements of a website. This is possible by statically identifying and analyzing the configuration profile of a Meta Pixel instance and extracting the information it is set up to collect. By developing a hybrid crawling approach (static and headless), we analyzed the top-1M most popular websites and found that 12.2% of them leak at least one instance of PII to Meta. We also found that in addition to email addresses and phone numbers, Meta Pixel also tracks PII such as age, gender, and geographical information, which can be used to not only reveal the identity of a user, but also their demographic characteristics. Finally, we assess the ability of Meta Pixel to track the browsing journey of a user by recording the sequence of full URLs visited across sub-pages.
AB - Web pixels are one of the predominant techniques for tracking conversions and user behavior on the Web. The integration of Meta Pixel (the most widely used tracking pixel) into a website enables Meta to collect sensitive information about the website's visitors and match it with their Facebook or Instagram profiles. In addition to detailed navigation history, Meta Pixel also collects personally identifiable information (PII) entered by visitors in online forms present on the website, such as emails and phone numbers. In this paper, we present a scalable and comprehensive approach for measuring PII leakage through Meta Pixel by passively inspecting its core components, without the need to interact with the dynamic elements of a website. This is possible by statically identifying and analyzing the configuration profile of a Meta Pixel instance and extracting the information it is set up to collect. By developing a hybrid crawling approach (static and headless), we analyzed the top-1M most popular websites and found that 12.2% of them leak at least one instance of PII to Meta. We also found that in addition to email addresses and phone numbers, Meta Pixel also tracks PII such as age, gender, and geographical information, which can be used to not only reveal the identity of a user, but also their demographic characteristics. Finally, we assess the ability of Meta Pixel to track the browsing journey of a user by recording the sequence of full URLs visited across sub-pages.
KW - Meta Pixel
KW - Online advertising
KW - online tracking
KW - personally identifiable information
KW - web privacy
UR - https://www.scopus.com/pages/publications/105023821627
U2 - 10.1145/3719027.3765113
DO - 10.1145/3719027.3765113
M3 - Conference contribution
AN - SCOPUS:105023821627
T3 - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
SP - 4229
EP - 4243
BT - CCS 2025 - Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 13 October 2025 through 17 October 2025
ER -