Podcast
Root Causes 386: Meta Commits MITM Attack On Its Users
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
May 13, 2024
Recent court documents reveal that in 2016 Meta (then Facebook) set up a system to get around encryption and spy on traffic between its users and competing social media platforms. We explain what happened.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo we want to go back a little bit in time for something that's very interesting that we've been following that we just didn't get a chance to necessarily pick up and cover because we had so much other interesting and exciting news going on. But I'm looking at, by way of example, you can see this written about in lots of places, I'm looking at a TechCrunch article from March 26, 2024 and the headline reads, Facebook Snooped On User Snapchat Traffic In Secret Project Documents Reveal. And this is Metas what they call project Ghostbusters. What happened here, Jason?
Jason SorokoYeah. Back in 2016. So this is going back. Project Ghostbusters, from what court documents are telling us, was Facebook, now Meta, was basically trying to understand the usage of other social media applications such as Snapchat, right? You might remember Snapchat from way back.And what is interesting about this is that, basically, I think some of the executives, perhaps Mark Zuckerberg himself, may have - - I'm saying may because, hey, I wasn't there. Right? Who knows. But what the court documents are suggesting is that he basically asked the engineers at Meta Facebook, we need to have a better understanding of how people are using some of those social media applications because we want to be able to - -
Tim CallanIn order to compete with them.Jason SorokoIn order to compete with them.Tim CallanYeah. Very important point.Jason SorokoYes. And so this was Project Ghostbusters. And what, of course, what did the engineers respond? And of course, I'm imagining this, right? I'm not even paraphrasing, I'm just making an imaginary scenario where they responded back to Mark Zuckerberg in saying, well, that would require us, you know, that is encrypted traffic. We can’t look at encrypted traffic. And I think the response that is alleged within this is that executives, perhaps all the way up to Mark Zuckerberg himself, were saying, well, then you better figure out a way to do it.Tim CallanRight. And they figured out a way. And what way did they figure out?Tim CallanWell, it looks like what this was, and I think that the real name for Project Ghostbusters, it was apparently part of another project called the In-App Action Panel or IAPP program. And this is about intercepting and decrypting encrypted traffic. So encrypted traffic of specific subdomains, Snapchat, YouTube, Amazon apparently, and this is all coming from something that is now being revealed. This is what's new that's being revealed in the court documents, Tim. So let's get down to what's really important because I think the - -Tim CallanWell, right before we do, I want to quote something from one of the emails that was revealed in this document. This is a direct quote. “This is a man in the middle approach”. So there wasn't even any subtlety about it.Jason SorokoSo let's get into that. So yeah, Facebook had previous to this, I believe in 2013, Facebook had purchased a VPN service. VPN-like service called Onavio. This has since been shut down because they were it looked like using it for questionable things, right. So it was shut down. And apparently Facebook had been paying a cohort of their users to utilize Onavio so that Facebook could actually basically run those teenagers, that cohort of users, through this VPN and look at their web activity. So, Tim, you just talked about man in the middle attacks so let's break down exactly what is going on here and what they had access to and what they didn't have access to. And it really shows you what's important about do you trust your VPN? Okay? That's going to be the crux of the lesson here. So what the engineers at Facebook were able to do is, since a cohort of users was using this VPN-like app they were essentially monitoring traffic through Facebook. So, in other words, traffic that would have been going directly to Snapchat was being pushed through this Onavio VPN, which means like ad services. Think about every single communication now, between the app and Snapchat as an example, would have been now available and captured in - at least the metadata of it - would have been captured through because the traffic was running through a Facebook-run VPN.
Tim CallanYep, yep.Jason SorokoNow to mechanically make this happen - -Tim CallanAnd another part of this is that there was an expectation on the user side, that Snapchat traffic was all encrypted. So the users had an expectation that this wouldn't happen and wasn't happening.Jason SorokoRight, Tim. And those of you who are sharp on listening to this podcast would say, yeah, but that traffic still would have been encrypted. So what's going on here because like right now, let's say, Tim, you fire up a VPN on your phone.Tim CallanRight.Jason SorokoPick a VPN of your choice and right now, if you go to Snapchat, you still can, your traffic is still encrypted through that VPN tunnel.Tim CallanSure.Jason SorokoSo what's - - like those of you who are smart might ask me that question. And my answer is this. Yeah, but if you have that VPN, that VPN can look at the metadata of all of that traffic. You don't need the entirety of the traffic to be decrypted. The metadata was enough for Facebook.Tim CallanGot it.Jason SorokoSo how, like, let's talk about how the mechanism of this works. By utilizing the Onavio VPN, you, as the cohort of Facebook who were part of the study, had to also download a root certificate. You had to get a certificate from Onavio, and then Onavio was encrypting your traffic as well. Right? So, but that certificate was important as part of doing the man in the middle attack. Tim, you and I have done podcasts on this, where there used to be a time where bad guys could socially engineer you into downloading a certificate, a self-signed certificate of the bad guys choice. A lot of people did not understand the error message of saying, hey, not that just the error message, but the warning message that would say on the on an Android or an iPhone, hey, did you know that this is a self- signed certificate? You really shouldn't trust it. And people were like, yeah, but some guy told me to trust it. So I'm going to trust it click and I install it.Tim CallanRight. Yep. And then it’s installed.Jason SorokoTo me, it's very similar to whatever you want to call this. Shenanigans or maybe Facebook would call it something else but whatever. By downloading the Onavio VPN app, it is identical to the risks associated with downloading a self-signed certificate from a bad guy. Now, if you're running a VPN service, what you get beyond just socially engineering somebody into using a self-signed certificate, you also get that traffic running through your VPN and then that VPN, of course, can decrypt the traffic, at the point at which they like, and have full access to the metadata between you on your phone and Snapchat. And that metadata was enough for Facebook to get all of the behavioral information that they needed from this cohort of people, Tim. I hope that was clear. But that was going on. And I'll tell you, that's crazy.
Tim CallanYeah. Just crazy. Yeah, yeah. Yeah. I don't even know what to say except, you know. I have nothing.Jason SorokoI got something to say. I got one last thing to say on this, which is, folks, we've actually done podcasts on this topic, where Tim and I talked about Tor and VPNs and when do you choose to use which is which? Because sometimes you can do a Tor through a VPN. Sometimes you can do a VPN through a Tor and you and I, Tim, actually walked through ad nauseam when do you choose to do which scenario. And this is such an interesting case, Tim, where, you know, a big, big American tech company, social media company, asks you to download a VPN and doesn't tell you fully why, doesn't really truly explain it, but hey, you know, just, it's for fun. Or maybe we give you 10 bucks or who knows how this can even happen in the future. But now you're running your traffic through somebody else's VPN and you've downloaded this self-signed certificate so people can look at the metadata of your traffic. So the thing is, that can already happen with a VPN of your choice today. I would say that if it's your corporate VPN, look unless your work is spying on you, it probably, it's probably that's, that's probably your safest one - VPN you might use through work, you know, probably the least of the issues. However, every other VPN that exists will have the same kind of traffic information that Facebook got with Onavio in this particular case. So how much do you trust your VPN? So you might say to yourself, Tim, why do most people get a VPN service anyway? So they can go to Starbucks. They can go to their hotel or airport, use the public Wi-Fi, fire up the VPN.
Tim CallanIt’s about privacy, right?Jason SorokoIt’s about privacy. And so who are you protecting yourself from? Are you protecting yourself from whoever is running the Wi-Fi access point?Tim CallanYep. Yep.Jason SorokoAre you protecting yourself from the VPN?Tim CallanNo. Right?Jason SorokoNo. No you are not.Tim CallanSo the irony here is that you, you know, you may feel that you're using a VPN in order to enhance your privacy, and in a way you are, because nobody is sitting on the Wi-Fi access point and stealing your traffic but then the cost of that is you're exposing yourself to this kind of privacy intrusion from whoever runs the VPN and hoping that that isn't a bad trade off.Jason SorokoCorrect, Tim. Which is why it is becoming very popular amongst people who have the know how to set up your own proxies, and set up your own VPN. And I do that, frankly, right. I actually have my own VPN that I run, and I don't run it through somebody else's VPN service. And that's the main reason why is because, you know, do I trust the other VPN? Well, eh, maybe I do. All I'm saying is, this is a really good example of, wow, if it was worthwhile enough for Facebook just to have your metadata, then your encrypted traffic with exposed metadata, just in your normal browsing is obviously extremely valuable, and somebody wants it.Tim CallanYeah.Jason SorokoWhich means I guarantee people are listening to your traffic all over the place and look, I'm not going to say it's happened, because I have no proof but it's not a stretch of the imagination to think that a lot of these VPNs that are out there are in business, not to sell you the VPN service, but to sell your metadata of your browser.Tim CallanTo sell the data. To sell usage data. Yeah.Jason SorokoAnd that was my thoughts, Tim.Tim CallanThere you go, Jay.Jason SorokoIt’s an interesting subject.Tim CallanSo it's definitely an interesting subject and I'm glad you brought it to our attention today. And once again, as we say, at the end of many of these episodes, something tells me this isn't the last time we're going to be having a conversation of this sort.Jason SorokoNo. And in fact, Tim, we did our Tor versus VPN versus, you know, all other - - I think there are now newer technologies that are out there. Various kinds of mesh encryption point-to-point encryption and other means of encrypting data that don't involve VPNs. And in fact, VPNs, Tim, I have to start questioning. Is it the right thing in the majority of scenarios now? We might have tripped a threshold in 2024 where it might be better to do something else. Food for thought.Tim CallanFood for thought. Okay. That's very provocative. Let's leave it there, Jay.Jason SorokoThank you.Tim CallanAll right. This has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
