Newly unsealed court documents accuse Facebook of running a man-in-the-middle attack against several competitors.
At the request of CEO Mark Zuckerberg, Facebook officials developed a program called In-App Action Panel (IAAP) that they deployed in 2016 and which was in use through mid-2019, according to the documents, which include internal emails.
The program utilized cyberattacks to intercept information from Snapchat, YouTube, and Amazon. The program then decrypted the information.
“Facebook’s IAAP Program used nation-state-level hacking technology developed by the company’s Onavo team, in which Facebook paid contractors (including teens) to designate Facebook a trusted ‘root’ certificate authority on their mobile devices, then generated fake digital certificates to redirect secure Snapchat analytics traffic (and later, analytics from YouTube and Amazon) from Snapchat’s servers to Onavo’s; decrypted these analytics and used them for competitive gain, including to inform Facebook’s product strategy; reencrypted them; and sent them up to Snapchat’s servers as though it came straight from Snapchat’s app, with Facebook’s Social Advertising competitor none the wiser,” lawyers said in one of the documents.
This is a clever attack in several ways. If you can create and get a program/device to accept a false signing certificate, you bypass having to break a company’s encryption altogether. The program trusts your fake certificate and creates a secure connection to your backend, using your encryption, thinking it’s transmitting information back to the targeted company. Also, analytics data doesn’t have to be sent and received in real time, so a significant delay in gather and receive times may not tip off the targeted company to the attack.
None of this is a walk in the park, but it’s something like ten orders of magnitude easier than breaking the targeted company’s encryption stream on a live session to seamlessly hack it in real time, which is the sort of God-level hacking limited to those with NSA-level computing power, or fictional characters.
The lawyers, representing plaintiffs in a lawsuit that accuses Facebook of anti-competitive behavior, were describing emails they obtained through discovery.
In one email, Mr. Zuckerberg wrote that there was a need to receive information about Snapchat but that their traffic was encrypted. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this,” he wrote.
After Facebook employees started working on figuring it out, Facebook Chief Operating Officer Javier Olivan wrote that the program could pay users to “let us install a really heavy piece of software (that could even do man in the middle, etc.).”
Man in the middle refers to a type of cyberattack where attackers secretly intercept information.
More specifically, it’s where a third party successfully inserts itself into the communication stream between two other parties, relaying (and possibly altering) both ends of the communication without either party knowing.
“We are going to figure out a plan for a lockdown effort during June to bring a step change to our Snapchat visibility. This is an opportunity for our team to shine,” Guy Rosen, founder of Onavo, later wrote. Onavo was started in Israel and bought by Facebook in 2013.
In a presentation on the program when it was being finalized, it was stated that there would be “’kits” that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage.”
Documents and testimony obtained in the case showed the program was launched in June 2016 and continued being used through 2019.
The program initially targeted Snapchat but was later expanded to Google’s YouTube and Amazon, according to the documents.
A few quick points:
- This is all from Snapchat’s court documents, so you have to put an “allegedly” on all this.
- If all the allegations are true, Facebook has just broken all sorts of federal anti-hacking laws, including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), the Identity Theft and Assumption Deterrence Act, and probably half a dozen more I haven’t even thought of.
- That Zuckerberg himself is (allegedly) directly implicated in deliberately breaking federal law is pretty breathtaking. He could be looking at serious jail time. Or would be, if he weren’t such a big Democratic Party Donor. (We’ll see how much time Sam Bankman-Fried catches today.)
- Snapchat is one thing, but targeting fellow tech behemoths Google (which owns YouTube) and Amazon with this sort of attack would seem to be…unwise. (Maybe Google’s forgiveness was covered in the secret deal the two companies allegedly signed with each other.)
- The timeframe is important here. Back in 2016-2019, the handling of digital signing certificates was a lot more loosey-goosey than it is now. A whole lot of things have been tightened up. I wouldn’t say it’s impossible to carry out such an attack now, but it would be harder.
We’ll see if the whole thing jumps from litigation land to the feds actually going after Facebook, but at a time when Facebook is being sued by all manner of plaintiffs (including Texas and other state attorney generals) over privacy violations and anti-competitive practices, the Snapchat revelations could certainly provide more fuel for the fire…