[throwaway290]

What they do then is create an app where location is necessary, make that app spin up a localhost server, then add js to facebook and every site with a like button to phone that localhost and basically deanon everyone.

[cnity]

How could this possibly work without port forwarding?

[mzajc]

2 months ago: https://news.ycombinator.com/item?id=44169115.

Of course Facebook's JS won't add itself to websites, so half of the blame goes to webmasters willingly sending malware to browsers.

[throwaway290]

It happens on the same device. No forwarding necessary. And it was documented to happen, the story was on HN