Facebook caught spying on Snapchat, YouTube and Amazon

Recently unsealed court documents have revealed how Meta Platforms used a man-in-the-middle attack to spy on Snapchat’s encrypted analytics web traffic.

Meta CEO Mark Zuckerberg told three of Meta’s top executives that given how quickly Snapchat was growing, it was important to find “reliable analytics about them” in an email titled “Snapchat analytics”.

Javier Olivan, now Facebook’s COO, replied that he fully agreed with the need for these analytics. He had looked into this with the Onavo team, a web analytics company owned by Meta.

However, gaining insight into Snapchat’s encrypted analytics would require legal approval.

Olivan forwarded the email to Guy Rosen, Onavo’s founder, who replied, “We are going to figure out a plan for a lockdown effort during June to bring a step change to our Snapchat visibility. This is an opportunity for our team to shine.”

By mid-June, the Onavo team had devised a plan for the “Ghostbusters project”, referencing the ghost in Snapchat’s logo.

The team’s solution was to employ a man-in-the-middle attack using their Onavo VPN service to intercept the information before Snapchat could encrypt it using Transport Layer Security (TLS, which the court documents refer to by its predecessor’s name, SSL).

Meta would extract the data once it had left users’ mobile devices and before it reached Snapchat servers.

Meta used this technique, known as SSL bumping, from June 2016 until early 2019.

However, Snapchat was not the only victim.

Facebook also employed the technology against YouTube and Amazon between 2017 and 2018.

This technology aimed to acquire and decrypt private analytic data from Snapchat, YouTube and Amazon to inform their competitive decision-making.

Onavo was eventually shut down by Meta in 2019 after TechCrunch exposed Facebook for secretly paying teenagers to spy on their web activity.

Olivan suggested this as a solution to the Onavo team before the Ghostbusters project was started.

Some were concerned about the project, such as Pedro Canahuati, head of structural security engineering at the time.

He wrote in an email, “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”

A class-action lawsuit was filed against Meta by Sarah Grabert and Maximilian Klein in 2020 for “anti-competitive conduct and exploiting user data through deceptive practices.”

Latest news

Partner Content

Show comments


Share this article
Facebook caught spying on Snapchat, YouTube and Amazon