Meta / Facebook Performs MiTM Attacks via SSL Bumping (Interception) with Onavo VPN

In 2019, Facebook shuttered its VPN app Onavo after investigations found that it was abusing user trust by spying on their activity. TechCrunch journalists found that under the guise of a VPN, Facebook would pay users between 13 and 35 up to $20 per month, plus referral fees, to sell access to their devices via its “Facebook Research” app.

This was made possible by Facebook’s 2014 acquisition of the Onavo VPN. Through this acquisition, Facebook’s Meta entered the surveillance business under the guise of “user/market research.” Coincidentally, a random side note: through this acquisition, they justified their 2014 acquisition of WhatsApp for $19 B. By leveraging a VPN, Meta opened a treasure trove of insights into user behaviors.

As if sharing VPN usage to Facebook | Meta was not bad enough, in 2016, an initiative was kicked off to better understand user behavior inside competitor applications (e.g., Snapchat, Amazon, and YouTube). To do this, they would have to intercept encrypted traffic, analyze it, and then send it on its way. The key to doing this was via a method known as SSL Bumping.

What is SSL Bumping?

“SSL bumping,” also known as “SSL inspection,” is a technique used in network security to intercept and inspect encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connections.

When SSL bumping is implemented, a proxy server is positioned between the client (such as a web browser), and the server intercepts the SSL/TLS traffic. It then decrypts the encrypted communication, inspects the contents for malicious activity or policy violations, and re-encrypts the traffic before forwarding it to its destination.

This interception and decryption process allows the proxy to analyze the encrypted traffic for threats such as malware, data exfiltration, or policy violations. It’s commonly used in enterprise environments to enforce security policies, monitor user activity, and protect against advanced threats. It does, rightfully, raise a lot of concerns, as shown here with Meta’s implementation.

They did exactly this.

They created a client-side “kit” that installed a “root” certificate on Snapchat user devices. They then used Squid Proxy Servers to use its SSL Bumping feature. Using their custom code, Facebook created fake digital certificates to impersonate Snapchat, YouTube, and Amazon analytics servers, routing the traffic through Facebook servers to decrypt and analyze. This was made available via the class action discovery documents.

What is a Man-in-the-Middle (MiTM) attack?

If you have ever been pitched the need for a VPN solution, you have undoubtedly been pitched the idea of someone stealing your information while you peacefully enjoy a cup of Joe at your local Starbucks. The premise of this threat is that a bad actor can intercept your traffic on public Wi-Fi. This interception is known as a Man-in-the-Middle (MiTM) attack.

Here is a straightforward illustration of what that might look like:

You see this type of attack under specific conditions. You may be connected to a rogue access point; via this, the bad actor can also intercept and decrypt encrypted traffic. You may be working via plain text, and the bad actor monitors the network to see what is floating around. In either case, security professionals around the world will often tout the following advice:

  1. Never trust public networks
  2. Always work with applications that are using HTTPS
  3. Leverage a Virtual Private Network (VPN) 

In this instance, however, Facebook (Meta) abuses the trust relationship between a user and the tool that is supposed to help mitigate this threat and proceeds to perform the attack it says it’s designed to prevent. They say so as much in the discovery:

we install a root CA on the device and MITM all SSL traffic.

Facebook / Meta class action discovery

Shame on you Meta / Facebook!