So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)
The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
This has since been edited in OP, and the full quote I think supports my claim more:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
It was fully clear and fully remunerated. It was no way a hack and thats disingenuous wording so you can hate on FB. If you install a vpn then you are affirmatively giving control of your traffic tot he vpn. FB isnt under any obligation to explain how networks work. In the same way we don't explain dns or routing. Is your boss obligated to tell you ACH transactions are in the clear and anyone can watch settlement? No. You're not being hacked when your bank sends payments via ach.
No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.
> from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
The email snippets are impressive on multiple levels, mainly how fucking stupid/arrogant people at FB must be. Openly talking about MITM, and then getting multiple other companies to include this kit in their products as well is just beyond stupid for putting in writing. "Hey Zuck, I have an idea on your proposal. We should get together to discuss in person" would be suspect, but at least it's not incriminating. It's like these people have never seen a movie, or read a news article on other companies getting caught.
A piece of advice I've taken to heart is whenever I'm sending something in writing, to think about how I would feel if I needed to repeat the same things in court or if I found those messages in the news. Not that I've ever said anything near that egregious but it still helps.
Whenever I'm discussing something in person I think about how I would feel if it turned out my employer was breaking the law and me not putting it in writing stopped the injured parties from obtaining just compensation.
When putting down something in writing, you should also remember cardinal Richelieu's quote: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
This is excellent advice. Another thing I will add is if something is not ethical, misleading, or dishonest, just do not do it. The world will be a better place if people behave ethically. Also, I strongly suspect that long term success in business requires ethical conduct.
So you'd rather they were smarter and able to hide the traces of their malicious behaviour?
The real problem here is the complete absence of any kind of ethics. It sounds like the kind of place where if you consider ethics to be a blocker you'd be laughed out of the room, or fired. Corporate culture is to chase profit above anything else. It's especially bad in software, though, as so many people don't even seem to think about the ethical implications of their actions ever.
Billionaire bosses are all surrounded by opportunists and flatterers. Over time like the Great Pacific Garbage Patch the size of this group grows to unmanageable dimensions, cause anyone acting moderately sane will be treated as an existential threat to their lives of fantasy, domination, manipulation, luxury, leisure etc and pushed out.
> acting moderately sane will be treated as an existential threat [...] and pushed out.
Or converted, by making them take actions so that "if we go down you're going down with us."
Organized crime works that way too, come to think of it. They may call it "loyalty", but it really means "give us a way to coerce you into compliance."
Thankfully our fearless American regulators would never shy away from hanging these scoundrels out to dr- hey wait, where are the lawyers going off to?
To paraphrase Clarke's three laws, a sufficiently advanced quantity of yes-men and tech industry bro "move fast and break things" types is indistinguishable from a hostile malware actor.
Their contribution to the genocide in Myanmar has said everything about Meta you'll ever need to know. It's a tragedy that working for Meta is generally seen as neutral whereas working at any defense-related companies is often met with scorn, despite the overwhelmingly greater negative impact that working at the former has.
And this doesn't even touch upon Instagram.
I guess that they pay too much and employ too much of our industry, greatly reducing criticism because we all have a friend who has worked at Meta or we may even have applied ourselves at some point. Whereas we don't know anyone who has been at e.g. Anduril at the likes.
I have several extremely talented friends at Meta, and the one constant is they left any attachment to the output product when they entered the workplace. Whereas they previously (at other top tech companies) did take pride in their employees output. Meta is “success at all costs” and heavily metrics driven.
I think that’s what contributes to things like Myanmar and other countries hate speech proliferation. When you don’t care about how your product is used, and can focus on just the technical aspect, you lose any sense of responsibility.
Conversely, we’ve hired many ex meta people, and they’ve always almost all unanimously said how much they NOW like having pride in the products they create, after jumping ship.
Imho it’s an issue of top down culture from Zuckerberg, and previously Thiel.
I'll take that bet. Of course, you have no idea where I work and I do, so you're not a good gambler. The stench of social companies is noticeable by people that do not have their heads in the sand. Companies that still believe that ex-FAANG are automatically gawds deserve what they get.
Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.
When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”
Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?
I wasn’t aware that WKWebView granted the app such power. Is there a way for me as a user to figure out if WKWebView or SFSafariViewController is being used if I have a web page open? Although I don’t use FB, I do use the web view of other apps and don’t want them to be able to do this either.
SFSafariViewController is less customizable visually so the standard "sheet coming up within the app" that looks always the same regardless of the app (at least in most apps and of course not Meta's apps) is that one.
Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.
Yes, there are ways to distinguish between them as a user, for example you can check to see if your browser plugins are available. I also went through some of the most popular iOS apps and created a list of which app uses the correct SFSafariViewController vs the potentially malicious WKWebView.
> Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
i don’t have instagram but i have facebook; when people send me links to instagram videos on messenger, the view doesn’t let me watch it unless i login (in fact create an account), i can only watch it loading externally into safari
I don't know why but Facebook is the one tech company that I just can't have a good opinion about. I like and dislike Google, Microsoft, Apple, NvidiA, AMD, Intel and the rest for different things but I just hate Facebook. I closed my facebook account about 10-11 years back put a filter to keep facebook out of my search results. And I have to say it works I rarely see anything about Facebook on my Google news feeds etc. I still use WhatsApp though as that is the biggest communication app outside China in Asia
- they’ve had a long history of trying to undermine privacy to extend profits. From stuff like in the article, to tracking pixels, alleged ghost accounts, and fighting anything that hampers tracking. Of the companies you listed, only Google has any crossover, but doesn’t come anywhere near as close.
- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.
- they are dishonest in their marketing. Almost all their Quest ads and feature reveals use concept visualization to deceive users for example on what is possible. Mark often speaks in double speak when addressing issues. Double speak isn’t unique to them but they definitely take dishonest advertising to the limit versus the other companies on your list.
I know Meta are having a popularity renaissance with their open weight (not open source) models in this AI cycle, as is Mark with his his recent PR blitz to reinvent his image.
However I think they’re culturally the only one of your companies listed who lack a moral core to their work. I think culture is top down, and both Zuckerberg and Thiel have instilled a culture of “success at all costs” for the way Meta operates.
The other companies on your list are definitely capitalist too, but have some sense of responsibility with their output.
> Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.
Of course it does. It does spread the word. That’s important.
You can be an activist and have a real life. You can despise Meta but have acquaintances on WhatsApp you can’t or don’t want to move. You can be an anticapitalist and still agree to join a group of friends inviting you to McDonalds. You can be an ecologist and have a car because you live somewhere without car free infrastructures.
You have the right to be critical of your own life while still acknowledging you can’t control everything.
Having WhatsApp may be wrong for you but it may be less wrong than leaving your friends groups.
"There is a current class action lawsuit against Meta in which court documents include claims that the company had breached the Wiretap Act."
This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.
Doesn't this violate the DMCA too? This is circumventing an encrypted system.
Does the DMCA not have enough teeth for something on this scale? Maybe an issue of standing or provable-damages? Did the plaintiffs forget about it? Curious and confused.
I think a relative of mine once almost signed up for another market research thing that would have done essentially this, redirecting all their phone's internet traffic through a VPN & proxy controlled by the market research company, including installing their Cert. They would have received some small compensation for it, and of course consented to having it installed. I don't recall the company being misleading about anything, exactly. That being said, while I generally am not in favor of overly paternalistic policies, I wonder how meaningful the consent of someone with relatively little technical knowledge for something like this really is. They were not misleading about things, but also didn't fully spell things in a way that would really drive home what was going on for someone unaware.
Just because some market research companies do informed disclosure, says nothing at all about how Onavo did this (and Onavo didn't advertise themselves to users as "market research company", just as some free neat app that would categorize your internet data usage).
Cars now come with Google services / Android baked into the damn infotainment system, with no possible way to pull it out. What could possibly go wrong with an advertising company seeing everywhere you go, and everyone who rides in your car?
This is true, but so far there are ways to disable much of this.
For example on a Ford, you can literally pull the fuse for the GSM modem. On a GM, you can pull the antenna from OnStar, and put a resister there in replacement... thus rendering it unable to communicate to home base.
This doesn't solve everything, but it at least stops the immediate phone home.
Yeah... They are all connected to the "three letter agencies", in Google's case it was very early, but I believe nobody can stay popular and not have all of these agencies infiltrate then take control of them.
Apple, Google, Facebook, Twitter, Alexa, they are a gold mine for agencies, but even news sites, movie studios, and YouTubers. This is why they've been after Tik Tok for so long, they know how useful that app / network is.
Unfortunately this is unsurprising; with bad actors like Meta there are likely many potential "dark patterns" put in place.
I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.
It's not unlikely that they pull off something like that.
Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.
Yes, it can be possible. I stormbound a with a friend who recommend hire a professional team who provide me access her phone through spy app i install on my phone it work like a magic. I advice you use this team know as hireprohackers20@Gmail.com for your won job to be handle
Snapchat do certificate pinning for it's main API domain. I am not exactly sure why analytics domain are different and why not have certificate pinning. (I thought analytics go through the same API domain, but it must be wrong then).
I used to work for a startup that collected data by using MITM attack with a VPN server, and other means. The users got paid a small sum of money to participate.
If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.
Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.
seriously, how does this not violate wire tapping laws? does agreeing to ToS mean you also agree to being spied on in a way that protects them? you are deliberately circumventing encryption for malicious purposes. if people got in trouble for DeCSS for circumventing encryption, how is this okay?
pithy "because they have all the monies" replies not wanted.
Big tech and telecommunications companies are effectively miniature arms of the U.S. government at this point.
As seen by the "Protect America Act" of 2007[0], the government will retroactively cover their own ass and your companies' ass if deemed important enough to the intelligence apparatus. There isn't a chance in hell that Meta would be brought criminal charges for wiretapping.
What is described in the article is not some elaborate scheme or novel work of software engineering. Rather, it's exactly what 99% of corporate networks do (proxy server with SSL inspection using a custom root certificate) "to combat cyber threats".
As coincidence would have it, this is the perfect alibi provided by a snake oil "cybersecurity" app by one of the world's largest companies.
Every tech company that has promulgated the lie that a VPN operated by a third party provides added security is indirectly responsible for this. Funneling all your traffic through a shady intermediary does no such thing, and in fact often does the opposite.
> does agreeing to ToS mean you also agree to being spied on in a way that protects them?
This relates to a much bigger problem of courts upholding contracts even when nobody actually believes they represent an informed and voluntary agreement.
We aren't quite at the Looney-Tunes step of enforcing extra clauses that were hidden in invisibly small print, but things are drifting in that direction.
It isn't because they have the money, it's because they have given the government access to whatever data they want. When it comes to three letter agencies it really isn't about money, it's about power and in today's digital world data is power.
To answer your specific question, this isn't okay. Both the government and large corporations have been given way too much power and we really have no hope of making any meaningful change until the people reclaim this power and put those in charge out on their ass.
My work puts a big banner on the login screen that says up front that they can and will record and monitor everything on this machine. And IMO that's fine, because it's their machine. If they wanted to do that to my machine it would be a problem.
I signed a contract with my employer that when I'm using the computer they give me to conduct their business on their behalf, they have the right to observe my usage of that computer.
The situation in this article is completely different.
None of my employers have done this to my knowledge. Some of them have had the ability to run commands on my computer, so they could in theory install such a thing without me noticing, but the default OOTB experience was not that.
tl;dr: They acquired an app called Onavo, with 10 million customers, and used it to install a CA certiticate thus allowing them to act as a MITM proxy.
tl;dr: If you install and fully trust a root CA on your client device, of course your TLS traffic can be MITMed.
edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.
That's great for someone reading this forum to be aware of, but moms have no idea what any of the words you just wrote means. So if they were told they get a coupon for installing or some other bit of ridiculous things malware devs use, and yes I'm calling FB software malware. All of if it. Messenger, FB.app, everything. If it's from Meta, it's malicious.
That's a very good point. I have within recent memory installed my own internal CA that I run on Android devices that I own and trust, and the process on android 11+ is sufficiently daunting that 99.5% of peoples' moms could not do it in one or two clicks. You have to go deep into system settings and manually import the CA. This requires first file-transferring the CA file somewhere onto local /sdcard storage and possibly having a file system explorer app installed to be able to view its location on "disk" and pick it.
As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:
"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."
So I mean, just taking a quick look at the contents of /etc/ssl/certs and what Firefox shows me when I hit its View Certificates button, I see among dozens of other actors, Amazon, Microsoft, GoDaddy, and the Beijing Certificate Authority. No software has ever asked me if I want to trust any of these guys, they've been silently trusted during a software install I suppose. Does this mean they can all MITM my TLS traffic if they so choose?
Theoretically, yes, they could, I think. However, with Certificate Transparency, the fraudulent certificates these Certificate Authorities could create would have to be published in CT logs to be valid, where they would be quickly noticed, and the CA would (hopefully) lose credibility and be removed from device's trusted CA list.
HSTS causes your browser to pin the first cert that it sees (from sites opting in to this scheme), so nobody (even the legitimate operator) can swap it out before it expires.
And specifically to the scenario in OP, app clients these days do not use the OS cert store, they will ship a single well-known server cert and only accept that one. This doesn’t help with your Firefox usecase though.
That’s not sufficient - you also need to intercept traffic somehow which they successfully accomplished by buying this vpn company and using them to proxy victims traffic through their infra
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.
Blockchain-based DNS would allow people to actually own their domain names instead of just renting them for an annual fee.
Domain transfers could be effected on-chain for a fee. Spam prevention is built-in because any action recorded on the blockchain incurs a fee. The fee is determined by the free markets and nobody holds a monopoly over the market.
People who trade domains would end up subsidizing those who hold domains; allowing them to hold domains for free, permanently (once the domain is bought and initial transfer is made).
It removes the need for an authority like ICANN who decide who gets to control what.
You don't have to limit yourself to one blockchain, new blockchains could launch and be treated as distinct gTLDs.
You don't need Certificate Authorities and the complex, trust-based infrastructure to implement certificate verification. It can all be done on-chain, anyone can sync their own nodes to verify who owns what domains.
Blockchain is naturally good for high-read scenarios. It can scale in terms of number of reads without limit; just add more nodes. The writes are limited, however, transaction fees serve as a natural regulating factor; it can always meet the demand, for the right price; which is determined entirely by the markets and based on usage of computational resources, not based on monopoly pricing.
Bitcoin, with a measly maximum of 4 transaction per second, has already proven that transaction fees can stay reasonable, even with extreme levels of hype on a global scale.
BTW, if you managed to read my comment, you can consider yourself lucky because this perspective I'm sharing is consistently suppressed and heavily down-voted... You can be sure that there are financial interests behind the current DNS system which do not want to leave room for any tech which might liberate the internet from the clutches of the incumbents and which might force them to compete on a free market.
So just to be clear on what is being alleged, because the write-ups are omitting this detail: from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)
The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
Neilson does something similar with TV where they install capture boxes in people’s houses to determine what they’re watching for their panels: https://www.nytimes.com/athletic/3194414/2022/03/22/the-ulti...
I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.
From the article:
> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
This has since been edited in OP, and the full quote I think supports my claim more:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.
It was fully clear and fully remunerated. It was no way a hack and thats disingenuous wording so you can hate on FB. If you install a vpn then you are affirmatively giving control of your traffic tot he vpn. FB isnt under any obligation to explain how networks work. In the same way we don't explain dns or routing. Is your boss obligated to tell you ACH transactions are in the clear and anyone can watch settlement? No. You're not being hacked when your bank sends payments via ach.
1 reply →
No, the writeup isn’t omitting anything, you’re mixing things up, which this article explicitly called out.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...
This is a bit tangled. I think this is new information but it’s all about Onavo. From OP:
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
5 replies →
Why do people work on such projects? I mean specifically the engineers. You're still paid the same engineer salary, except now you expose yourself to criminal prosecution. The corpo is at least getting some extra returns for the risk, you as an engineer are not. So dumb.
31 replies →
> from what I can tell FB paid SC users to participate in “market research” and install the proxy.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
SC == Snapchat
The email snippets are impressive on multiple levels, mainly how fucking stupid/arrogant people at FB must be. Openly talking about MITM, and then getting multiple other companies to include this kit in their products as well is just beyond stupid for putting in writing. "Hey Zuck, I have an idea on your proposal. We should get together to discuss in person" would be suspect, but at least it's not incriminating. It's like these people have never seen a movie, or read a news article on other companies getting caught.
A piece of advice I've taken to heart is whenever I'm sending something in writing, to think about how I would feel if I needed to repeat the same things in court or if I found those messages in the news. Not that I've ever said anything near that egregious but it still helps.
Whenever I'm discussing something in person I think about how I would feel if it turned out my employer was breaking the law and me not putting it in writing stopped the injured parties from obtaining just compensation.
3 replies →
When putting down something in writing, you should also remember cardinal Richelieu's quote: "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
"Dance like no one is watching; email like it may one day be read aloud in a deposition." - Olivia Nuzzi
https://web.archive.org/web/20141214193908/https://twitter.c...
1 reply →
More importantly these days, have the same thought every time you write a comment on Slack or Teams.
4 replies →
This is excellent advice. Another thing I will add is if something is not ethical, misleading, or dishonest, just do not do it. The world will be a better place if people behave ethically. Also, I strongly suspect that long term success in business requires ethical conduct.
"Did you see Brian's hat? He's still fucking wearing it."
https://www.youtube.com/watch?v=LO2k-BNySLI
1 reply →
So you'd rather they were smarter and able to hide the traces of their malicious behaviour?
The real problem here is the complete absence of any kind of ethics. It sounds like the kind of place where if you consider ethics to be a blocker you'd be laughed out of the room, or fired. Corporate culture is to chase profit above anything else. It's especially bad in software, though, as so many people don't even seem to think about the ethical implications of their actions ever.
Yeah, if your first thought is “Is you taking notes on a criminal conspiracy?” … you are not learning the right lessons
Billionaire bosses are all surrounded by opportunists and flatterers. Over time like the Great Pacific Garbage Patch the size of this group grows to unmanageable dimensions, cause anyone acting moderately sane will be treated as an existential threat to their lives of fantasy, domination, manipulation, luxury, leisure etc and pushed out.
> acting moderately sane will be treated as an existential threat [...] and pushed out.
Or converted, by making them take actions so that "if we go down you're going down with us."
Organized crime works that way too, come to think of it. They may call it "loyalty", but it really means "give us a way to coerce you into compliance."
Thankfully our fearless American regulators would never shy away from hanging these scoundrels out to dr- hey wait, where are the lawyers going off to?
1 reply →
To paraphrase Clarke's three laws, a sufficiently advanced quantity of yes-men and tech industry bro "move fast and break things" types is indistinguishable from a hostile malware actor.
Their contribution to the genocide in Myanmar has said everything about Meta you'll ever need to know. It's a tragedy that working for Meta is generally seen as neutral whereas working at any defense-related companies is often met with scorn, despite the overwhelmingly greater negative impact that working at the former has.
And this doesn't even touch upon Instagram.
I guess that they pay too much and employ too much of our industry, greatly reducing criticism because we all have a friend who has worked at Meta or we may even have applied ourselves at some point. Whereas we don't know anyone who has been at e.g. Anduril at the likes.
I have several extremely talented friends at Meta, and the one constant is they left any attachment to the output product when they entered the workplace. Whereas they previously (at other top tech companies) did take pride in their employees output. Meta is “success at all costs” and heavily metrics driven.
I think that’s what contributes to things like Myanmar and other countries hate speech proliferation. When you don’t care about how your product is used, and can focus on just the technical aspect, you lose any sense of responsibility.
Conversely, we’ve hired many ex meta people, and they’ve always almost all unanimously said how much they NOW like having pride in the products they create, after jumping ship.
Imho it’s an issue of top down culture from Zuckerberg, and previously Thiel.
2 replies →
If any of these miscreants were looking for a new job I bet the place you work would be getting in line to put them through an interview loop.
I'll take that bet. Of course, you have no idea where I work and I do, so you're not a good gambler. The stench of social companies is noticeable by people that do not have their heads in the sand. Companies that still believe that ex-FAANG are automatically gawds deserve what they get.
5 replies →
Post-COVID big tech ex-employees aren't really what you would expect a decade ago.
And people that think like you are the problem. Ypu should be calling immoral asshole things out. Not frigging trying to do them and not get caught.
Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.
When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”
Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?
They definitely inject JS as we had a problem with them breaking certain JS calls with payment autofill before [1].
[1] https://x.com/jameshartig/status/1534886418266431488
I wasn’t aware that WKWebView granted the app such power. Is there a way for me as a user to figure out if WKWebView or SFSafariViewController is being used if I have a web page open? Although I don’t use FB, I do use the web view of other apps and don’t want them to be able to do this either.
SFSafariViewController is less customizable visually so the standard "sheet coming up within the app" that looks always the same regardless of the app (at least in most apps and of course not Meta's apps) is that one.
Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.
1 reply →
Yes, there are ways to distinguish between them as a user, for example you can check to see if your browser plugins are available. I also went through some of the most popular iOS apps and created a list of which app uses the correct SFSafariViewController vs the potentially malicious WKWebView.
- https://krausefx.com/blog/ios-privacy-instagram-and-facebook... - https://krausefx.com/blog/announcing-inappbrowsercom-see-wha...
> Not to downplay it but at least this requires users to download the Onavo app, which isn’t so common.
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
[1] https://www.androidrank.org/application/onavo_protect_from_f...
Take a look: https://krausefx.com/blog/ios-privacy-instagram-and-facebook...
i don’t have instagram but i have facebook; when people send me links to instagram videos on messenger, the view doesn’t let me watch it unless i login (in fact create an account), i can only watch it loading externally into safari
SFSafariViewController does not share cookies with Safari anymore.
I don't know why but Facebook is the one tech company that I just can't have a good opinion about. I like and dislike Google, Microsoft, Apple, NvidiA, AMD, Intel and the rest for different things but I just hate Facebook. I closed my facebook account about 10-11 years back put a filter to keep facebook out of my search results. And I have to say it works I rarely see anything about Facebook on my Google news feeds etc. I still use WhatsApp though as that is the biggest communication app outside China in Asia
Probably a combination of
- they’ve had a long history of trying to undermine privacy to extend profits. From stuff like in the article, to tracking pixels, alleged ghost accounts, and fighting anything that hampers tracking. Of the companies you listed, only Google has any crossover, but doesn’t come anywhere near as close.
- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.
- they are dishonest in their marketing. Almost all their Quest ads and feature reveals use concept visualization to deceive users for example on what is possible. Mark often speaks in double speak when addressing issues. Double speak isn’t unique to them but they definitely take dishonest advertising to the limit versus the other companies on your list.
I know Meta are having a popularity renaissance with their open weight (not open source) models in this AI cycle, as is Mark with his his recent PR blitz to reinvent his image.
However I think they’re culturally the only one of your companies listed who lack a moral core to their work. I think culture is top down, and both Zuckerberg and Thiel have instilled a culture of “success at all costs” for the way Meta operates.
The other companies on your list are definitely capitalist too, but have some sense of responsibility with their output.
> - they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.
Twitter is arguably worse - especially after Musk's takeover.
4 replies →
> I still use WhatsApp though as that is the biggest communication app outside China in Asia
This is still contributing to their monopoly. WhatsApp's monopoly is growing and they've even blatantly started to copy the competition: Telegram.
Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.
> Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.
Of course it does. It does spread the word. That’s important.
You can be an activist and have a real life. You can despise Meta but have acquaintances on WhatsApp you can’t or don’t want to move. You can be an anticapitalist and still agree to join a group of friends inviting you to McDonalds. You can be an ecologist and have a car because you live somewhere without car free infrastructures.
You have the right to be critical of your own life while still acknowledging you can’t control everything.
Having WhatsApp may be wrong for you but it may be less wrong than leaving your friends groups.
2 replies →
> “And I have to say it works I rarely see anything about Facebook on my Google news feeds etc.”
The company is called Meta nowadays, so that also explains why you don’t see much news about Facebook.
"There is a current class action lawsuit against Meta in which court documents include claims that the company had breached the Wiretap Act."
This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.
Doesn't this violate the DMCA too? This is circumventing an encrypted system.
Does the DMCA not have enough teeth for something on this scale? Maybe an issue of standing or provable-damages? Did the plaintiffs forget about it? Curious and confused.
Thanks, I have modified the wording and also quoted you and linked this HN post on the blog page.
I think a relative of mine once almost signed up for another market research thing that would have done essentially this, redirecting all their phone's internet traffic through a VPN & proxy controlled by the market research company, including installing their Cert. They would have received some small compensation for it, and of course consented to having it installed. I don't recall the company being misleading about anything, exactly. That being said, while I generally am not in favor of overly paternalistic policies, I wonder how meaningful the consent of someone with relatively little technical knowledge for something like this really is. They were not misleading about things, but also didn't fully spell things in a way that would really drive home what was going on for someone unaware.
Just because some market research companies do informed disclosure, says nothing at all about how Onavo did this (and Onavo didn't advertise themselves to users as "market research company", just as some free neat app that would categorize your internet data usage).
Reading this article I'm just thinking that Facebook has wing that's just an NSA front at this point.
People seem to forget that the research that turned into Google was initially funded by the NSA and CIA:
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
Cars now come with Google services / Android baked into the damn infotainment system, with no possible way to pull it out. What could possibly go wrong with an advertising company seeing everywhere you go, and everyone who rides in your car?
This is true, but so far there are ways to disable much of this.
For example on a Ford, you can literally pull the fuse for the GSM modem. On a GM, you can pull the antenna from OnStar, and put a resister there in replacement... thus rendering it unable to communicate to home base.
This doesn't solve everything, but it at least stops the immediate phone home.
2 replies →
Yeah... They are all connected to the "three letter agencies", in Google's case it was very early, but I believe nobody can stay popular and not have all of these agencies infiltrate then take control of them.
Apple, Google, Facebook, Twitter, Alexa, they are a gold mine for agencies, but even news sites, movie studios, and YouTubers. This is why they've been after Tik Tok for so long, they know how useful that app / network is.
Pretty much every large tech company collaborated during the Prism leaks.
or unit 8200 front (since we're talking about Facebook Israel)
Ooooooooh, SSLbump.
There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.
Should be one of those many cases involving wiretapping for banking info.
Doesn't the computer fraud and abuse act cover this?
Not ... really ...
It is about intent versus capability set that CFAA does poorly with differentiation in court.
This is why we should be doing dual-server-client TLS certificate exchange before stuffing damaging info over Internet. But, alas, nooooooooo.
Any more post-relevant insights we should congratulate you for, or is it just this one?
How would mutual TLS have helped here?
Mutual TLS dutifully breaks if there is a transparent HTTPS proxy like SSLbump or Squid.
You can do certificate pinning.
Unfortunately this is unsurprising; with bad actors like Meta there are likely many potential "dark patterns" put in place.
I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.
It's not unlikely that they pull off something like that.
Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.
"Stay safer when you're using public Wi-Fi. Turn Protection On"
prompt to install a VPN config
Fuck yourself, Facebook.
Why would anyone use a VPN service provided by Facebook?
Money, If I recall correctly they paid teens to install and use the app
Isn’t this what the broad CFAA was created for and what Aaron Schwartz was martyred over?
Yes, it can be possible. I stormbound a with a friend who recommend hire a professional team who provide me access her phone through spy app i install on my phone it work like a magic. I advice you use this team know as hireprohackers20@Gmail.com for your won job to be handle
Why didn't a big company like Snapchat not have certificate pinning? Something is amiss here!?
Snapchat do certificate pinning for it's main API domain. I am not exactly sure why analytics domain are different and why not have certificate pinning. (I thought analytics go through the same API domain, but it must be wrong then).
The analytics domain was "sc-analytics.appspot.com" in which the lack of pinning is described at the tail end of the blog post.
From the OP, Snapchat started pinning not long after this program launched.
I used to work for a startup that collected data by using MITM attack with a VPN server, and other means. The users got paid a small sum of money to participate.
If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.
Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.
Our apps would be deplatformed on Android and iOS, and our businesses would be prosecuted by the DoJ and FBI.
Looks like this was the real reason Facebook could not comply with China's data sovereignty laws and had to abandon the market.
The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.
3 replies →
> If you or I did this, we would already be in jail for phishing plus whatever add-on charges the Feds could file.
Yes. It's a good opportunity for an ambitious state attorney general to prosecute Facebook, of course.
https://www.naag.org/find-my-ag/
https://www.consumerresources.org/file-a-complaint/
seriously, how does this not violate wire tapping laws? does agreeing to ToS mean you also agree to being spied on in a way that protects them? you are deliberately circumventing encryption for malicious purposes. if people got in trouble for DeCSS for circumventing encryption, how is this okay?
pithy "because they have all the monies" replies not wanted.
> seriously, how does this not violate wire tapping laws? does agreeing to ToS mean you also agree to being spied on in a way that protects them?
It’s not really spelled out clearly in the article, but this was a specific program where people had to choose to opt-in in exchange for compensation.
This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app
Not defending the program, but it’s not what a lot of comments are assuming.
3 replies →
Big tech and telecommunications companies are effectively miniature arms of the U.S. government at this point.
As seen by the "Protect America Act" of 2007[0], the government will retroactively cover their own ass and your companies' ass if deemed important enough to the intelligence apparatus. There isn't a chance in hell that Meta would be brought criminal charges for wiretapping.
0: https://en.wikipedia.org/wiki/Protect_America_Act_of_2007
6 replies →
What is described in the article is not some elaborate scheme or novel work of software engineering. Rather, it's exactly what 99% of corporate networks do (proxy server with SSL inspection using a custom root certificate) "to combat cyber threats".
As coincidence would have it, this is the perfect alibi provided by a snake oil "cybersecurity" app by one of the world's largest companies.
Every tech company that has promulgated the lie that a VPN operated by a third party provides added security is indirectly responsible for this. Funneling all your traffic through a shady intermediary does no such thing, and in fact often does the opposite.
2 replies →
> does agreeing to ToS mean you also agree to being spied on in a way that protects them?
This relates to a much bigger problem of courts upholding contracts even when nobody actually believes they represent an informed and voluntary agreement.
We aren't quite at the Looney-Tunes step of enforcing extra clauses that were hidden in invisibly small print, but things are drifting in that direction.
See also: https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
It isn't because they have the money, it's because they have given the government access to whatever data they want. When it comes to three letter agencies it really isn't about money, it's about power and in today's digital world data is power.
To answer your specific question, this isn't okay. Both the government and large corporations have been given way too much power and we really have no hope of making any meaningful change until the people reclaim this power and put those in charge out on their ass.
[flagged]
Your work does this. This is incredibly common on basically every corporate device issued today.
The real issue is the NUX, which doesn't look like it made the data collection clear to users.
My work puts a big banner on the login screen that says up front that they can and will record and monitor everything on this machine. And IMO that's fine, because it's their machine. If they wanted to do that to my machine it would be a problem.
11 replies →
I signed a contract with my employer that when I'm using the computer they give me to conduct their business on their behalf, they have the right to observe my usage of that computer.
The situation in this article is completely different.
None of my employers have done this to my knowledge. Some of them have had the ability to run commands on my computer, so they could in theory install such a thing without me noticing, but the default OOTB experience was not that.
This wouldn't have happened if Android used Javascript.
They do this on my work laptop. Zscaler
Big companies do MITM and deep packet inspection on company laptops that is normal - not normal is doing that on private devices.
[dead]
If there is a god we'll be compensated through a class action settlement for a $5 meta ad voucher.
Gotta hire Illinois lawyers. They got their residents $435 per user: https://www.chicagotribune.com/2023/10/20/illinois-facebook-...
Let's not pretend that's a good number, either.
tl;dr: They acquired an app called Onavo, with 10 million customers, and used it to install a CA certiticate thus allowing them to act as a MITM proxy.
[flagged]
tl;dr: If you install and fully trust a root CA on your client device, of course your TLS traffic can be MITMed.
edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.
That's great for someone reading this forum to be aware of, but moms have no idea what any of the words you just wrote means. So if they were told they get a coupon for installing or some other bit of ridiculous things malware devs use, and yes I'm calling FB software malware. All of if it. Messenger, FB.app, everything. If it's from Meta, it's malicious.
That's a very good point. I have within recent memory installed my own internal CA that I run on Android devices that I own and trust, and the process on android 11+ is sufficiently daunting that 99.5% of peoples' moms could not do it in one or two clicks. You have to go deep into system settings and manually import the CA. This requires first file-transferring the CA file somewhere onto local /sdcard storage and possibly having a file system explorer app installed to be able to view its location on "disk" and pick it.
As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:
"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."
1 reply →
Try comparing P2P OTR E2EE vs Non-CA TOFU SSH
3 replies →
"the average parent"
So I mean, just taking a quick look at the contents of /etc/ssl/certs and what Firefox shows me when I hit its View Certificates button, I see among dozens of other actors, Amazon, Microsoft, GoDaddy, and the Beijing Certificate Authority. No software has ever asked me if I want to trust any of these guys, they've been silently trusted during a software install I suppose. Does this mean they can all MITM my TLS traffic if they so choose?
Theoretically, yes, they could, I think. However, with Certificate Transparency, the fraudulent certificates these Certificate Authorities could create would have to be published in CT logs to be valid, where they would be quickly noticed, and the CA would (hopefully) lose credibility and be removed from device's trusted CA list.
Not in 2020, no.
HSTS causes your browser to pin the first cert that it sees (from sites opting in to this scheme), so nobody (even the legitimate operator) can swap it out before it expires.
https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Securi...
And specifically to the scenario in OP, app clients these days do not use the OS cert store, they will ship a single well-known server cert and only accept that one. This doesn’t help with your Firefox usecase though.
2 replies →
That’s not sufficient - you also need to intercept traffic somehow which they successfully accomplished by buying this vpn company and using them to proxy victims traffic through their infra
Victims that were being paid to participate?
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.
4 replies →
Unless the TLS traffic uses certificate pinning.
[flagged]
[flagged]
Can you give me a step by step explanation of how blockchain-based DNS would have helped here?
Blockchain-based DNS would allow people to actually own their domain names instead of just renting them for an annual fee.
Domain transfers could be effected on-chain for a fee. Spam prevention is built-in because any action recorded on the blockchain incurs a fee. The fee is determined by the free markets and nobody holds a monopoly over the market.
People who trade domains would end up subsidizing those who hold domains; allowing them to hold domains for free, permanently (once the domain is bought and initial transfer is made).
It removes the need for an authority like ICANN who decide who gets to control what.
You don't have to limit yourself to one blockchain, new blockchains could launch and be treated as distinct gTLDs.
You don't need Certificate Authorities and the complex, trust-based infrastructure to implement certificate verification. It can all be done on-chain, anyone can sync their own nodes to verify who owns what domains.
Blockchain is naturally good for high-read scenarios. It can scale in terms of number of reads without limit; just add more nodes. The writes are limited, however, transaction fees serve as a natural regulating factor; it can always meet the demand, for the right price; which is determined entirely by the markets and based on usage of computational resources, not based on monopoly pricing.
Bitcoin, with a measly maximum of 4 transaction per second, has already proven that transaction fees can stay reasonable, even with extreme levels of hype on a global scale.
BTW, if you managed to read my comment, you can consider yourself lucky because this perspective I'm sharing is consistently suppressed and heavily down-voted... You can be sure that there are financial interests behind the current DNS system which do not want to leave room for any tech which might liberate the internet from the clutches of the incumbents and which might force them to compete on a free market.
I'll entertain this, how does blockchaining DNS solve anything?
Edit: Why is this down voted? I really don't understand how blockchain would help DNS.
because it won’t—entertaining the question legitimises these snake-oil peddlers
2 replies →
[flagged]