Newly unsealed court documents accuse Facebook of running a man-in-the-middle attack against several competitors.
At the request of CEO Mark Zuckerberg, Facebook officials developed a program called In-App Action Panel (IAAP) that they deployed in 2016 and which was in use through mid-2019, according to the documents, which include internal emails.
The program utilized cyberattacks to intercept information from Snapchat, YouTube, and Amazon. The program then decrypted the information.
“Facebook’s IAAP Program used nation-state-level hacking technology developed by the company’s Onavo team, in which Facebook paid contractors (including teens) to designate Facebook a trusted ‘root’ certificate authority on their mobile devices, then generated fake digital certificates to redirect secure Snapchat analytics traffic (and later, analytics from YouTube and Amazon) from Snapchat’s servers to Onavo’s; decrypted these analytics and used them for competitive gain, including to inform Facebook’s product strategy; reencrypted them; and sent them up to Snapchat’s servers as though it came straight from Snapchat’s app, with Facebook’s Social Advertising competitor none the wiser,” lawyers said in one of the documents.
This is a clever attack in several ways. If you can create and get a program/device to accept a false signing certificate, you bypass having to break a company’s encryption altogether. The program trusts your fake certificate and creates a secure connection to your backend, using your encryption, thinking it’s transmitting information back to the targeted company. Also, analytics data doesn’t have to be sent and received in real time, so a significant delay in gather and receive times may not tip off the targeted company to the attack.
None of this is a walk in the park, but it’s something like ten orders of magnitude easier than breaking the targeted company’s encryption stream on a live session to seamlessly hack it in real time, which is the sort of God-level hacking limited to those with NSA-level computing power, or fictional characters.
The lawyers, representing plaintiffs in a lawsuit that accuses Facebook of anti-competitive behavior, were describing emails they obtained through discovery.
In one email, Mr. Zuckerberg wrote that there was a need to receive information about Snapchat but that their traffic was encrypted. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this,” he wrote.
After Facebook employees started working on figuring it out, Facebook Chief Operating Officer Javier Olivan wrote that the program could pay users to “let us install a really heavy piece of software (that could even do man in the middle, etc.).”
Man in the middle refers to a type of cyberattack where attackers secretly intercept information.
More specifically, it’s where a third party successfully inserts itself into the communication stream between two other parties, relaying (and possibly altering) both ends of the communication without either party knowing.
“We are going to figure out a plan for a lockdown effort during June to bring a step change to our Snapchat visibility. This is an opportunity for our team to shine,” Guy Rosen, founder of Onavo, later wrote. Onavo was started in Israel and bought by Facebook in 2013.
In a presentation on the program when it was being finalized, it was stated that there would be “’kits” that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage.”
Documents and testimony obtained in the case showed the program was launched in June 2016 and continued being used through 2019.
The program initially targeted Snapchat but was later expanded to Google’s YouTube and Amazon, according to the documents.
A few quick points:
- This is all from Snapchat’s court documents, so you have to put an “allegedly” on all this.
- If all the allegations are true, Facebook has just broken all sorts of federal anti-hacking laws, including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), the Identity Theft and Assumption Deterrence Act, and probably half a dozen more I haven’t even thought of.
- That Zuckerberg himself is (allegedly) directly implicated in deliberately breaking federal law is pretty breathtaking. He could be looking at serious jail time. Or would be, if he weren’t such a big Democratic Party Donor. (We’ll see how much time Sam Bankman-Fried catches today.)
- Snapchat is one thing, but targeting fellow tech behemoths Google (which owns YouTube) and Amazon with this sort of attack would seem to be…unwise. (Maybe Google’s forgiveness was covered in the secret deal the two companies allegedly signed with each other.)
- The timeframe is important here. Back in 2016-2019, the handling of digital signing certificates was a lot more loosey-goosey than it is now. A whole lot of things have been tightened up. I wouldn’t say it’s impossible to carry out such an attack now, but it would be harder.
We’ll see if the whole thing jumps from litigation land to the feds actually going after Facebook, but at a time when Facebook is being sued by all manner of plaintiffs (including Texas and other state attorney generals) over privacy violations and anti-competitive practices, the Snapchat revelations could certainly provide more fuel for the fire…
Tags: Computer Fraud and Abuse Act (CFAA), Crime, Electronic Communications Privacy Act (ECPA), Facebook, Google, hacking, Identity Theft and Assumption Deterrence Act, Javier Olivan, man-in-the-middle attack, Mark Zuckerberg, Snapchat, technology, Texas, YouTube
And to think that every time you use the ‘bigs’ social media you play an inadvertent part in one of the largest frauds perpetrated in mankind’s history. And it will become known to future generations, probably far in the future, but known to them nonetheless that great great great Grammy & Grampy used to just give up there information to tech oligarchs so they could send memes to other Grammies & Grampies!
Another Carrington Event can’t come soon enough. You’ll be able to track their private jets on FlightAware as they scurry to their bunkers in New Zealand.
@D Liddle
Another Carrington Event would royally screw up aviation infrastructure, flight support and navigation such that even the ultra jet-owning wealthy would have trouble moving, but I get your point.
Repeat after me: If the product is free… You’re the product.
Hell, even if you pay for it, you’re the ‘effing product. Witness what Google does with Android, and what Apple does with its iOS. Pay attention to Microsoft, as well… I guarantee you that the products you use with them are selling your data and metadata, as well as charging you out the ass for them.
Linux-on-the-desktop is about to become a “thing”, in my household. This latest round of intrusive AI installation on my computer has pushed me into finally ditching the bastards. I cannot overemphasize how much you need to pay attention to what they’re putting on your computer, and what they’re sending back to Redmond. It ain’t in your “best interests”, believe me.
[…] IT CERTAINLY LOOKS LIKE IT: Did Facebook Run A Man-in-The-Middle Hack Against Competitors? […]
Kirk wrote:
| If the product is free… You’re the product.
[…]
| Linux-on-the-desktop is about to become a “thing”, in my household
I hate to break this to you, but Linux is free. Given your logic above, in that case, who benefits from you using Linux?
Since Meta (then Facebook) and Zuckerberg are located in and residents of California, California Penal 527 is likely to also apply. It is in some respects more on point than the CFAA, which can be challenging to apply to man in the middle attacks when a person in the chain grants authorization to use their computer in that manner.
Interesting. He allegedly was part of crimes that could lock him up for decades. Then he spent $400M to swing the 2020 election right after this 2016-19 period. Coincidence?
Nice reference to Stand Alone Complex
Nathan, you know exactly what I mean when I say that. Linux isn’t a product so much as it is a collaborative effort run by thousands of different programmers, all of whom serve as self-checking restraints on someone pulling what the big three social media companies are.
If you think anything you do “in the cloud”, whether it’s Microsoft, Meta, Alphabet, or Amazon is secure, you have another think coming. Wonder why you’re getting targeted ads for everything you look at online? Wonder how your casual conversations suddenly generate oddly pertinent email advertising? Yeah; that would be those “free” services you’re getting from these people.
Linux ain’t even in the same category, being as it isn’t a product/service selling my metadata to anyone.
[…] still unable to send remittances to Cuba due to lack of cooperation from dictatorship BattleSwarm: Did Facebook Run A Man-in-The-Middle Hack Against Competitors? also, LinkSwarm For March 29 Behind The Black: SLIM survives its second lunar night, […]
It’s not exactly as if Meta hacked into their competitors systems. All they did was manage to decrypt data that is normally encrypted via SSL. Anyone who has ever used Fiddler, Wireshark, or any similar app knows how to do this.
So basically by looking at the payload, the api interfaces, and results they were able to make inferences about what was happening behind the scenes.
In short – it’s not a true “man-in-the-middle” attack.
By by impersonating the backend of their competitor with a fake certificate, they committed identity fraud.