Use of Facebook UDP Priming Revealed in Unencrypted UDP Connection to port 33000

Early this year we observed suspicious UDP connections to port 33000 in a mobile device. This traffic contained a Facebook URL that included a Facebook Graph token, and it was sent unencrypted over the network. In this blog post we show details of this traffic, what information is leaked, and who is affected. We have reported this behavior to Facebook, who confirmed this traffic is part of Facebook’s normal behavior.