Jeff LarsonMar 27, 2024

Look, I went over the Snowden documents as a journalist, but I never saw anything that shocked me quite like this story of Meta buying a VPN company for "security" but then spying on users of competitive apps by decrypting the traffic.

This is a real SSL added and removed here :) moment.

Seriously, like wow: https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/

Court document: https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

Facebook snooped on users' Snapchat traffic in secret project, documents reveal | TechCrunch

A secret program called "Project Ghostbusters" saw Facebook devise a way to intercept and decrypt the encrypted network traffic of Snapchat users to study their behavior.

TechCrunch
Show threadChristian GudrianMar 27, 2024
@seriouslyjeff Wait a minute. How can a VPN intercept SSL traffic? Ist this an OS “feature”?
Show threadJeff LarsonMar 27, 2024

@cgudrian well, my understanding is that when you install a VPN you also need to install a certificate bundle (but not always!).

For ethical companies, the VPN uses these certs as authentication, but it looks like facebook took this hole to also install extra ones that took precedence over their competitors'.

This allowed them to decrypt everything. A user was either paid, or duped into signing up.

IT'S WILD! In my opinion this is straight teenager scammer shit. Does that help?

Show threadChristian GudrianMar 27, 2024
@seriouslyjeff That sounds like they've used the VPN software as a Trojan Horse to install an MITM proxy for SSL interception. If that's the case it's indeed abysmally evil.
Show threadJeff LarsonMar 27, 2024

@cgudrian my take as well! I mean lawyers will be lawyers, but this seems like it works, and the emails seem to say as much:

https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

Show threadChristian Gudrian
@seriouslyjeff Page 3, right at the top: “we install a root CA on the device and MITM all SSL traffic”. Oh, and they later extended their "analytics" to YouTube and Amazon users. How nice!
Mar 27, 2024 at 6:32amWeb
Show threadJeff LarsonMar 27, 2024
@cgudrian RIGHT!?
Show threadChristian GudrianMar 27, 2024

@seriouslyjeff Here are some more details about this: https://techcrunch.com/2019/01/29/facebook-project-atlas/

I still wonder why I didn't hear about it back then.

Facebook pays teens to install VPN that spies on them | TechCrunch

Desperate for data on its competitors, Facebook has been secretly paying people to install a "Facebook Research" VPN that lets the company suck in all of

TechCrunch
Show threadJeff C. 🇺🇦🇬🇱Mar 27, 2024

@cgudrian @seriouslyjeff I was wondering if this was something new, because it definitely made its way through the Apple pundit ecosystem at the time.

I definitely recall @gruber (Daring Fireball, The Talk Show) talking about it. It probably got a mention on @atpfm as well.

Show threadJohn GruberMar 27, 2024

@jeff @cgudrian @seriouslyjeff @atpfm

https://daringfireball.net/linked/2019/01/29/facebook-teens-vpn

TechCrunch: Facebook Pays Teenagers to Install VPN That Spies on Them

Link to: https://techcrunch.com/2019/01/29/facebook-project-atlas/

Daring Fireball
Show threadChristian GudrianMar 27, 2024
@jeff The recently released court documents reveal the SSL interception via man-in-the-middle proxy. That was not yet known in 2019.
Show threadMichael WymanMar 27, 2024
@jeff @cgudrian @seriouslyjeff @gruber @atpfm yeah, Facebook and Google both got caught using enterprise certs for this. I was at Google at the time and remember the shitstorm https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate
Apple blocks Google from running its internal iOS apps

Apple has shut down Google’s ability to distribute internal iOS apps, from early releases of Google Maps to tools like a shuttle bus app. Google’s certificate issue comes just days after Apple also blocked Facebook from running its own internal iOS apps.

The Verge