Meta's Onavo VPN Removed SSL Encryption To Spy on Competitors

Published on: April 3, 2024
Penka Hristovska Penka Hristovska
Published on: April 3, 2024

Meta illegally monitored its users through the Onavo VPN product while they accessed Snapchat and other competing apps, newly unsealed court filings reveal.

The surveillance was done as part of an initiative called Project Ghostbusters, an alleged reference to Snapchat’s corporate logo. Project Ghostbusters was run by Onavo, a company Facebook acquired in 2013, that operated under the guise of providing a VPN service. Ironically, this service was discontinued in 2019 due to its failure to ensure privacy.

The initiative began in June 2016 when Mark Zuckerberg, Meta’s founder and CEO, asked his team to find a way to reliable analytics from Snapchat’s encrypted data, as the platform was gaining increased market attention.

A month later, the Onavo team developed a solution — to employ an “SSL man-in-the-middle” attack to decrypt Snapchat’s secured traffic. In a man-in-the-middle attack, attackers insert themselves between a user and an application, allowing them to intercept and decrypt data transmissions.

They later expanded the project to target other Facebook competitors, including YouTube in 2017 and Amazon in 2018.

More specifically, Facebook conducted studies that rewarded participants, who had agreed to take part, for installing a research app developed by Onavo. This app tracked their smartphone usage and provided the tech giant with insights into user behavior across devices. The app allegedly installed a root Certificate Authority on participants’ devices, enabling Facebook to intercept participants’ encrypted SSL/TLS connections.

This setup also allowed the company to reroute analytics traffic from Snapchat (and later from Amazon and YouTube) to Onavo’s servers. Upon arrival, this data was decrypted and analyzed for commercial benefits, then re-encrypted and sent back to Snapchat, all without the knowledge of the photo-sharing app’s creators, the complaint explains.

The court documents detailing Meta’s alleged actions are part of a lawsuit filed against Meta in California by Facebook advertisers. The lawsuit alleges that Meta/Facebook’s anti-competitive actions, such as data interception, led to higher advertising costs and damaged competition.

About the Author
Penka Hristovska
Published on: April 3, 2024

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.