Documents and testimony show that this “man-in-the-middle” approach—which relied on technology known as a server-side SSL bump performed on Facebook’s Onavo servers—was in fact implemented, at scale, between June 2016 and early 2019.
Facebook’s SSL bump technology was deployed against Snapchat starting in 2016, then against YouTube in 2017-2018, and eventually against Amazon in 2018.
The goal of Facebook’s SSL bump technology was the company’s acquisition, decryption, transfer, and use in competitive decision making of private, encrypted in-app analytics from the Snapchat, YouTube, and Amazon apps, which were supposed to be transmitted over a secure connection between those respective apps and secure servers (sc-analytics.appspot.com for Snapchat, s.youtube.com and youtubei.googleapis.com for YouTube, and *.amazon.com for Amazon).
This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ (and later, YouTube and Amazon users’) mobile devices, see PX 414 at 6, PX 26 (PALM-011683732)(“we install a root CA on the device and MITM all SSL traffic”), also included custom server-side code based on “squid” (an open-source web proxy) through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis, see PX 26 at 3-4 (Sep. 12, 2018: “Today we are using the Onavo vpn-proxy stack to deploy squid with ssl bump the stack runs in edge on our own hosts (onavopp and onavolb) with a really old version of squid (3.1).”); see generally http://wiki.squid-cache.org/Features/SslBump
Malware Bytes Article: https://www.malwarebytes.com/blog/news/2024/03/facebook-spie...
That is insane and I would be inclined to not believe it if someone had told me this. This is such an immense breach of trust that even for me, who has a very low opinion of Meta, it is unexpected. I hope this will blow up as much as it should
So this one time, I had a bug report at a client site. The business was largely a member of _______ religion. Our images wouldn't load in the app, but did on the website. How odd I thought, that doesn't make sense! Luckily I was able to be physically present, so I hopped down with laptop in tow, ssh'd into the server and started tailing logs....
Sure enough all the API requests for data were coming through, but whenever a request for image happened - nothing would hit the servers.
What the heck I thought to myself?
I said to the client 'that can't be, that's almost impossible....the only way that's possible is if the SSL traffic is decrypted, inspected, and images blocked from being requested, which, is a MITM attack".
He redirected me to his IT provider. I phoned them up, and explained the situation.
"Ahh so they're _____"
Me: "So what does that have to do with the price of fish?"
Them : "Content filtering..., you need to talk to ____"
Sure as the day is long, the content filter was a VPN all members of ____ had to have on their mobile devices (I don't know how widespread this is, whether it was just this business, or the entire ____ )
I applied to have our system approved, it was, and just like magic the next day photos started coming through.
I'm guessing basically it detected any .jpg/.mp4 etc URL's in https requests and flagged it up and blocked them from being requested. You can be sure on those devices the VPN would have been somehow locked in with device management, and there's no way on gods green earth they were getting at Facebook/insta etc.
So, it's not just meta. That really hammered home how seamless it can be to end users that they really can't trust what's actually happening on their devices.
Not that I'm a fan of it, but in corps it's pretty standard praxis to have a custom root cert installed on all devices and enforce VPN connections on devices outside the network to be able to MITM all requests and do stuff like content filtering (e.g. NSFW, swearwords and obviously malware). It's the company's device and they give it to you for work specific purpose, you shouldn't use it for personal stuff. I don't think it compares to an app that shadily installs its own root cert on an end user's device to spy on them.
It's not corporate level it was/is religious group level (of which this particular org I'm guessing largely employed staff from that religion). They are well known within our country to be quite insular.
It certainly seemed for all intents and purposes if you were a member of _____ group (wider than the company) you had the vpn on your device, and it was filtering content. I've found other reports in other countries of that happening with the same group.
So it's not corporate content filtering, it's personal content filtering and our app got caught up in it (and approved).
It certainly made my skin crawl for anyone in that religion. That means the central filtering service could be reading messages. Not sure if they're that sophisticated but certainly they didn't want people to see random images/videos.
This is one reason I think ECH is probably on net a bad idea. Content filtering is a legitimate use-case for lots of users/networks, and if traffic is completely opaque to all networks, you end up needing things like root level processes or full MITM or laws requiring ID for websites instead of more privacy-preserving inspection of basic metadata (like SNI) at the network level.
Is it like required from their religious leadership to install this? That is incredible, and I only now understand your comment to its full extent. That is brutal.
Yes, this exists. There's more than one company you can choose. It's not 'forced' but strongly recommended. Also, my love for hacking started with getting around it...
From the inference of the commenter, I think they were referring to an app on a mobile device and not the device itself.
It also sounds like their issue was at the ISP provider level, as well, which takes the business out of the loop of being the data controller/owner (of the collected data) at that point.
Note: I'm not saying that your comment doesn't have merit, I just don't think that the points that you made apply - specifically - in this case?
After re-reasing the comment I think you're right. I had a hard time grokking it it seems. But since the issue was apparently a VPN app installed on the phone, I don't know whether this was the ISP or maybe their IT service provider that did content filtering on behalf of the company (like an outsourced IT department?)
The VPN (much like Meta's) is doing some root cert trickery to filter content that is deemed inappropriate or potentially inappropriate. This appeared to be controlled by a Company A in another country that undoubtedly contracted to Y religion to be their central point of content filtering globally.
So, member of the church? you get this VPN on your phone, (not sure whether phone was supplied by the church, but certainly this VPN was on it) VPN is effectively content filtering and blocking content.
I had our app whitelisted by that central company (literally raised a ticket with them, next day magically fixed).
Holy shit they can brainwash their peers even better. Those are evil geniuses….
Sorry I meant the optimize the content for their peers and shield them from harmful content for the better of humanity // irony
There are even ‘safe’ (filtered) ISPs aimed at religious communities.
I also hope that any ethically minded engineers inside Meta take a stand against this BS. The only way stuff like this happens is because engineers working on these projects decide that they can set aside whatever morals they may have had for the price of a big fat FAANG pay cheque. It's about time our profession adopted a code of ethics, like that of the ACM[1]. To the engineers who _have_ walked away despite the obvious pressures, I salute you.
1. https://www.acm.org/code-of-ethics
Wouldn’t Meta simply hire unlicensed “engineers”?
You simply legislate that if a company is building anything that will be used regularly by more than eg. a few thousand people, then the work must be designed and/or signed off by a licensed engineer, who will a) be subject to a code of ethics and b) be professionally liable for any failures causing loss or damage to the public.
We seem to be able to manage this with bridges, planes, electrical & hydro installations etc. No reason it shouldn't be the same for critical software infrastructure.
I mean with a thing like a plane you can say "that's not allowed in our state/country", with software that starts to get a whole lot more problematic. Soon you'll see people starting to push laws that say things like "because people are running dangerous software from outside the country we demand that only signed software can run on our phones/computers and that devices here must enforce it" coming out of our politicians that seemingly get a pile of cash from groups like Microsoft and META.
Why do you think Meta's work is critical software infrastructure?
Ethically minded engineers don't go work for Facebook in the first place.
This was news … 5 years ago, I think, I don’t know why it blew up again. But context matters:
Onavo provided a compression + VPN service for people traveling; they let users use little or no data while roaming, and still get internet access. I do not know what their original business plan was, but Facebook bought them for the ability to spy on users.
Their MITM was, in fact, the raison d’etre of Onavo. And then, they were bought by Facebook. And then there was just some more analytics added. At no point, as I understand it, was it built explicitly for evil - and I suspect very few employees were in on the real reasons.
Plausible deniability works for many things.
You expect all people to have morals in the first place. That is an erroneous assumption.
Nah, I've met enough amoral people over the course of my career to know that's not the case. However, the overwhelming majority of people I've worked with are people who do have morals and do care about the outcomes they're creating, and that gives me great hope.
I was directly involved in this.
I am happy to answer any questions you have about questioning or ethics at the time. Assuming that people's reaction to this was wrong, while not knowing what that reaction was, or having less than 5% of the context, isn’t going to help much.
Short answer: No, there were strong arguments for it. I reached out for institutional support to answer some questions, groups that I expected to be a lot more supportive than the ACM, but I found the reaction seriously lacking. Your intuition that groups like the ACM should offer assistance is sensible but completely overlooks many problems: geopolitics, different types of security, and individual capacities, among others. Each institution has its priorities; those are not always compatible, and it’s unclear who should have precedence. The ACM won’t help you if the argument is the kind of compromise with the devil that spy agencies often make or if problematic tools are used in efforts to dismantle large criminal groups.
Why do you trust it ? Do you think that others (Google, Microsoft, Apple) are not doing/would not do such a thing ? SSL is as secure as its certificates.
Honestly, yes, I don't think Microsoft Google and Apple would do something like this.
Imho, the correct way to evaluate corporate potential corporate trust is on self-interest.
In Microsoft, Google, and Apple's cases, they all have substantial enterprise business that would shit a brick if they were caught doing this.
Ergo, it's not in their best interest to do it.
Safer to rely on a company's desire to make money than any sense of "good".
Here is what is going to happen:
1. Nobody will care in 10 days. 2. They will get a slap on the wrist at best.
Reminds me of Google driving around in StreetView cars, hacking and capturing all wifi traffic they could get their hands on. Did anything happen? Of course not!
https://www.theguardian.com/technology/2010/may/15/google-ad... https://www.wired.com/2012/05/google-wifi-fcc-investigation/
The guardian says "open" networks, apart from the fact that in 2010 networks were not secured by default in many cases. I think WEP 1 was a thing and easily hacked, and I would not be surprised if they were actually Wardriving, on the largest scale ever.
It's a criminal CFAA violation.
I'm somewhat surprised it's taken this long to come out. It was something of a open secret that onavo was spying somehow on snapchat traffic within atleast the infra/release org back in 2016 era
Can someone explain how exactly they were able to decrypt the SSL traffic, is it possible to install a root CA without huge warnings from the OS?
By using mitm, basically "pretending" you're the site the victim wants to connect to and trasparently connecting to the actual upstream site. Basically decrypting the traffic locally for inspection before sending it back out. https://en.wikipedia.org/wiki/Man-in-the-middle_attack. You don't need a root CA, you just need to poison the DNS to point to the mitm server and just present any old valid cert for the domain so it doesn't trigger a self-signed warning or whatever.
How can you take any old valid cert though? I presume they have some sort of private key you don't have access to and it would still trigger an expired cert warning?
That's appalling to say at least. But Snapchat implemented certificate-pinning since 2015. Does that mean either the analytics endpoint was not covered or somehow the certificate-pinning is circumvented in this case?
This sounds most likely