Mastodawn

DenTelezhkin Mar 30, 2024

Look, I went over the Snowden documents as a journalist, but I never saw anything that shocked me quite like this story of Meta buying a VPN company for "security" but then spying on users of competitive apps by decrypting the traffic.

This is a real SSL added and removed here :) moment.

Seriously, like wow: https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/

Court document: https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

Facebook snooped on users' Snapchat traffic in secret project, documents reveal | TechCrunch

A secret program called "Project Ghostbusters" saw Facebook devise a way to intercept and decrypt the encrypted network traffic of Snapchat users to study their behavior.

TechCrunch

Jeff Larson Mar 27, 2024

also, can I say that it's completely nuts that, according to the complaint, 41 (forty one!) lawyers looked at this and were like:

"seems cool"

MY DUDES THE WIRETAP ACT IS RIGHT THERE.

https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

jsj Mar 27, 2024

@seriouslyjeff Attorneys are the bane of human existence.

Sophie Schmieg Mar 27, 2024

@seriouslyjeff holy wow, a class action is letting them off easy. People should go to jail for this

Jason Petersen (he)Mar 27, 2024

@sophieschmieg @seriouslyjeff they are paying minors to subvert their security. I remember thinking at the time someone should pay for this and five years later I guess I’m still somehow surprised no one has.

felix (grayscale) 🐺Mar 27, 2024

@seriouslyjeff the current reporting is a little misleading. The thing being discussed is not the VPN app, it's a "Facebook Research App" that used code from the VPN. It was definitely opt in and told users that it was going to snoop on them, though it's not clear how much users understood what exactly it snooped. There are a bunch of articles about it from 2019, when is was shut down

Jeff Larson Mar 27, 2024

@gray17 might be worth looking at the wiretap act: https://www.law.cornell.edu/uscode/text/18/2511

18 U.S. Code § 2511 - Interception and disclosure of wire, oral, or electronic communications prohibited

LII / Legal Information Institute

felix (grayscale) 🐺Mar 27, 2024

@seriouslyjeff sure. Facebook's argument at the time was that what they were doing was not materially different from the surveillance that companies do to their own employees. Apple disagreed, others disagreed, and that's why the program was stopped

Jeff Larson Mar 27, 2024

Joan of Contention 😷Mar 28, 2024

@seriouslyjeff Do you know was this a global practice, or only for users in specific jurisdictions? (Asking from the EU..)

Jeff Larson Apr 4, 2024

This is twice in a week that I've been shocked more than the Snowden docs:

https://www.972mag.com/lavender-ai-israeli-army-gaza/

This is contact chaining from then, but with loosy goosy statistics and a program called “Where’s Daddy?” (more horrible than you can imagine).

All this was horrifying a decade ago and it has gotten worse.

‘Lavender’: The AI machine directing Israel’s bombing spree in Gaza

The Israeli army has marked tens of thousands of Gazans as suspects for assassination, using an AI targeting system with little human oversight and a permissive policy for casualties, +972 and Local Call reveal.

+972 Magazine

Allan Chow Mar 27, 2024

@seriouslyjeff guh I really hope cloudflare isn't doing this shit

Jeff Larson Mar 27, 2024

@grumpasaurus me too. But if im reading it correctly this requires a “kit” that has access to add a fake cert into the app and then the trust store. For like “advertising” reasons.

Advanced Persistent Teapot Mar 27, 2024

@seriouslyjeff @grumpasaurus that's my reading also; it was only possible where users installed the Onavo app on their device. That app added a cert to the local store to make the Snapchat and other apps trust a cert under its control, which is the critical step - if you try TLS interception without doing that, the target would either fail to connect or give the users all sorts of warnings that their connection was untrustworthy

butternut Mar 27, 2024

@seriouslyjeff @grumpasaurus many organizations terminate their SSL at cloudflare. So cloudflare sees a lot of cleartext traffic without the need to install / have users trust fake certs.

Allan Chow Mar 27, 2024

@butternut @seriouslyjeff yeah it's how their waf and other Goodies work

Jeff Larson Mar 27, 2024

@grumpasaurus @butternut oh right good point!

Andrea Lazzarotto Mar 27, 2024

@seriouslyjeff @grumpasaurus in the case of Cloudflare it could be simpler.

They serve a whopping amount of Internet traffic, and their WAF is basically a (consent based) MITM proxy.

I am not accusing anyone and I use Cloudflare myself for one of my websites. I am just saying that _technically_ they could snoop all traffic for websites of their customers using the WAF.

Saurav Shrestha Mar 28, 2024

@lazza @seriouslyjeff @grumpasaurus I’m getting flashbacks of back when PHP forum software was all the rage but then people found out that the server admin could read everyone’s private messages! 🙈

Andrea Lazzarotto Mar 28, 2024

@realsshrestha @seriouslyjeff @grumpasaurus now people are getting the same "surprise" with random Mastodon instances. 🙂 Some things never change.

melanie ensign (she/her)Mar 27, 2024

@seriouslyjeff but Jeff, they have TWO chief privacy officers, so surely user privacy is a top priority. 🫠

Jeff Larson Mar 27, 2024

@Wednesday and 41 lawyers! The wiretap act! It's a thing! WOWOW!

Saurav Shrestha Mar 28, 2024

@Wednesday @seriouslyjeff maybe they’re pulling in opposite directions and cancelling each other out!

Christian Gudrian Mar 27, 2024

@seriouslyjeff Wait a minute. How can a VPN intercept SSL traffic? Ist this an OS “feature”?

Jeff Larson Mar 27, 2024

@cgudrian well, my understanding is that when you install a VPN you also need to install a certificate bundle (but not always!).

For ethical companies, the VPN uses these certs as authentication, but it looks like facebook took this hole to also install extra ones that took precedence over their competitors'.

This allowed them to decrypt everything. A user was either paid, or duped into signing up.

IT'S WILD! In my opinion this is straight teenager scammer shit. Does that help?

Christian Gudrian Mar 27, 2024

@seriouslyjeff That sounds like they've used the VPN software as a Trojan Horse to install an MITM proxy for SSL interception. If that's the case it's indeed abysmally evil.

Jeff Larson Mar 27, 2024

@cgudrian my take as well! I mean lawyers will be lawyers, but this seems like it works, and the emails seem to say as much:

https://storage.courtlistener.com/recap/gov.uscourts.cand.369872/gov.uscourts.cand.369872.735.0.pdf

Christian Gudrian Mar 27, 2024

@seriouslyjeff Page 3, right at the top: “we install a root CA on the device and MITM all SSL traffic”. Oh, and they later extended their "analytics" to YouTube and Amazon users. How nice!

Jeff Larson Mar 27, 2024

@cgudrian RIGHT!?

Christian Gudrian Mar 27, 2024

@seriouslyjeff Here are some more details about this: https://techcrunch.com/2019/01/29/facebook-project-atlas/

I still wonder why I didn't hear about it back then.

Facebook pays teens to install VPN that spies on them | TechCrunch

Desperate for data on its competitors, Facebook has been secretly paying people to install a "Facebook Research" VPN that lets the company suck in all of

TechCrunch

Jeff C. 🇺🇦🇬🇱Mar 27, 2024

@cgudrian @seriouslyjeff I was wondering if this was something new, because it definitely made its way through the Apple pundit ecosystem at the time.

I definitely recall @gruber (Daring Fireball, The Talk Show) talking about it. It probably got a mention on @atpfm as well.

John Gruber Mar 27, 2024

@jeff @cgudrian @seriouslyjeff @atpfm

https://daringfireball.net/linked/2019/01/29/facebook-teens-vpn

TechCrunch: Facebook Pays Teenagers to Install VPN That Spies on Them

Link to: https://techcrunch.com/2019/01/29/facebook-project-atlas/

Daring Fireball

Christian Gudrian Mar 27, 2024

@jeff The recently released court documents reveal the SSL interception via man-in-the-middle proxy. That was not yet known in 2019.

Michael Wyman Mar 27, 2024

@jeff @cgudrian @seriouslyjeff @gruber @atpfm yeah, Facebook and Google both got caught using enterprise certs for this. I was at Google at the time and remember the shitstorm https://www.theverge.com/2019/1/31/18205795/apple-google-blocked-internal-ios-apps-developer-certificate

Apple blocks Google from running its internal iOS apps

Apple has shut down Google’s ability to distribute internal iOS apps, from early releases of Google Maps to tools like a shuttle bus app. Google’s certificate issue comes just days after Apple also blocked Facebook from running its own internal iOS apps.

The Verge

Jeroen Postma 🇪🇺Mar 27, 2024

@seriouslyjeff I think I'm missing a piece of the picture. Do these Android kits allow downgrading TLS connections to plain HTTP?

Like the article explains, merely providing a VPN wouldn't have been very effective as Snapchat was using TLS, so they would just see a lot of encrypted traffic.

It's not clear to me how they managed to intercept the content that should have been encrypted on the client. 🤔

EDIT: Solved, see my self-reply.

Jeroen Postma 🇪🇺Mar 27, 2024

@seriouslyjeff Nevermind sorry, I overlooked the court document you linked. So they installed a Root CA to hijack the traffic. Holy fuck.

The reason why it was unclear to me is that I did not expect them to pull this. I kind of wondered if there was a more "legitimate" way of doing this rather than something which is absolutely illegal.

Thanks for sharing!

Jeroen Postma 🇪🇺Mar 27, 2024

@seriouslyjeff Been thinking about this a little bit more. It sounds exponentially more predatory to target teens.

You know, the demographic where hormones go wild and the concept of risk often isn't very well understood.

On a platform on which these users assume* (however naive that may be) to have at least some degree of privacy.

Glenn Mar 27, 2024

@seriouslyjeff Yeah, but when giant corporations do it its okay.

trenchworms Mar 27, 2024

@seriouslyjeff this legitimately feels like an "executives go to jail" kind of act and yet.... likely nothing meaningful will come of it.

JRT Mar 27, 2024

@seriouslyjeff "SSL added and removed here :) moment" had me laughing very hard :D Thanks for that

Cody Mar 27, 2024

@seriouslyjeff "We call our VPN 'Leopard' as in
'A leopard can't change its spots'

or

'I never thought leopards would eat MY face!'"

Pelle Wessman Mar 27, 2024

@seriouslyjeff @Migueldeicaza Missed opportunity that they didn’t also sell it as a botnet as eg Hola and Swing VPN did with their users: https://www.theverge.com/2015/5/29/8685251/hola-vpn-botnet-selling-users-bandwidth

That VPN:s make the regular person safer is such a scam. Only reason for most people to use one is to access geo-fenced features and that’s only possible because geo ip is a very crude way of geo positioning and something that Netflix etc should not rely on.

But I guess many creators would be out of money if they didn’t promote VPN:s…

Popular Chrome extension Hola sold users' bandwidth for botnets

The Verge

gary Mar 28, 2024

@seriouslyjeff practically none of it was released - an interesting factoid

Merc Mar 28, 2024

@seriouslyjeff Yeah, for context, "SSL added and removed here" is from the Snowden leaks. It referred to the place Google added and removed SSL to traffic within the Google network infrastructure.

The key thing is that it happened within Google's own network, behind the firewall. The NSA was only able to make use of that because they had penetrated Google's physical security and tapped into the internal network.

This, instead, is Facebook performing a man-in-the-middle attack on their own customers in order to spy on network traffic from a competitor.

It would be like Pfizer buying a scanner company to snoop on medical records being scanned to try to get info on the effects of Merck & Co. drugs.

pcbeard Mar 28, 2024

@seriouslyjeff I’ve long suspected Facebook was spyware, cut and dry. What a sleazy company.