Safety Detectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

Meta's Onavo VPN Removed SSL Encryption To Spy on Competitors

Penka Hristovska
Penka Hristovska
Published on: April 3, 2024
Penka Hristovska Penka Hristovska
Published on: April 3, 2024

Meta illegally monitored its users through the Onavo VPN product while they accessed Snapchat and other competing apps, newly unsealed court filings reveal.

The surveillance was done as part of an initiative called Project Ghostbusters, an alleged reference to Snapchat’s corporate logo. Project Ghostbusters was run by Onavo, a company Facebook acquired in 2013, that operated under the guise of providing a VPN service. Ironically, this service was discontinued in 2019 due to its failure to ensure privacy.

The initiative began in June 2016 when Mark Zuckerberg, Meta’s founder and CEO, asked his team to find a way to reliable analytics from Snapchat’s encrypted data, as the platform was gaining increased market attention.

A month later, the Onavo team developed a solution — to employ an “SSL man-in-the-middle” attack to decrypt Snapchat’s secured traffic. In a man-in-the-middle attack, attackers insert themselves between a user and an application, allowing them to intercept and decrypt data transmissions.

They later expanded the project to target other Facebook competitors, including YouTube in 2017 and Amazon in 2018.

More specifically, Facebook conducted studies that rewarded participants, who had agreed to take part, for installing a research app developed by Onavo. This app tracked their smartphone usage and provided the tech giant with insights into user behavior across devices. The app allegedly installed a root Certificate Authority on participants’ devices, enabling Facebook to intercept participants’ encrypted SSL/TLS connections.

This setup also allowed the company to reroute analytics traffic from Snapchat (and later from Amazon and YouTube) to Onavo’s servers. Upon arrival, this data was decrypted and analyzed for commercial benefits, then re-encrypted and sent back to Snapchat, all without the knowledge of the photo-sharing app’s creators, the complaint explains.

The court documents detailing Meta’s alleged actions are part of a lawsuit filed against Meta in California by Facebook advertisers. The lawsuit alleges that Meta/Facebook’s anti-competitive actions, such as data interception, led to higher advertising costs and damaged competition.

About the Author
Penka Hristovska
Penka Hristovska
Editor
Published on: April 3, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.