|
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/?guccounter=1quote:After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.” wait what the gently caress is this
|
# ? Mar 27, 2024 18:00 |
|
|
# ? Apr 28, 2024 22:18 |
|
ymgve posted:https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/?guccounter=1 i was just reading about this this morning. this story is loving crazy and i was amazed it wasnt all over this forum yet
|
# ? Mar 27, 2024 18:02 |
|
good coverage of it here: https://twitter.com/jason_kint/status/1772459601356583268 https://nitter.poast.org/jason_kint/status/1772459601356583268 quote:Whoa. Facebook had a secret "Project Ghostbusters" (get it?) which allegedly was to decrypt "man-in-the-middle" style Snapchat traffic to copy it. Yellow highlight indicates redactions just lifted in nine unsealed plaintiffs briefs in private antitrust lawsuit. Wild stuff. /1 quote:A lot of new stuff. There was lots of reporting (including Apple threats to boot Facebook) at the time on Facebook's software and Onavo acquisition allowing it to "spy" on competitive apps but I recall the decryption was written as a hypothetical. CEO email kickstarting it. /2 quote:You can read the press back in Jan 2019 spoon fed by Facebook PR to friendlies with no mentions of decrypting SSL then compare to this internal email below sent to Facebook's most senior executives - "currently includes SSL decryption"... /3 quote:And the allegations do get worse...seeing the underlying evidence at trial is important. "The company's highest-level engineering executives through the IAAP Program was a legal, technical, and security nightmare...'I can't think of a good argument why this is okay.'" /12 quote:Here is the full unsealed docket item including the allegations against Facebook for "wiretapping" Snapchat including the Zuckerberg emails. /6
|
# ? Mar 27, 2024 18:05 |
|
ymgve posted:https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/?guccounter=1 drat lol
|
# ? Mar 27, 2024 18:07 |
|
mark fuckerberg strikes again
|
# ? Mar 27, 2024 18:10 |
|
yeah that just sounds like what onavo protect was being used for when the 'vpn' was pushed. i guess the news part is knowing that it was targeted against snapchat rather than it being heavily implied? apple hit them back in 2018 over it
|
# ? Mar 27, 2024 18:12 |
|
and I thought meta was the dumbest thing zuck had ever championed but this takes the cake
|
# ? Mar 27, 2024 18:14 |
|
“this is a privacy and pr nightmare! the only thing we can do to cover it up is to make an even more ridiculous and dumb business decision that people will focus on”
|
# ? Mar 27, 2024 18:16 |
|
ah so I gues the "kits" bit is just a name for plugins for facebooks vpn app, not something that is supported by ios and android natively
|
# ? Mar 27, 2024 18:17 |
|
I think it's slightly unclear from the article how icky this was because mining data from what is marketed as a generic vpn, even with no mitm, is imo a trillion times worse than paying a small number of people to send all their traffic through something that's specifically labelled as a "facebook research" app that reads all your data and it's not totally clear what people were being told It still seems problematic if they were collecting data on teens, but like, hypothetically (and this is probably giving facebook way too much credit) if the app store description itself was vague just to evade app store policies, but with respect to the actual user they paid, they were very clear on what was being collected, and they had parental consent and only collected data on snapchat and not like personal information it might not be as bad If they were tricking people into installing a root certificate without them understanding what that meant then that is way worse Edit: Also I don't think this is new information and I think people are just looking at documents that were just released from the class action suit and thinking that out of context they might sound worse than the previously known information, which they probably aren't mystes fucked around with this message at 18:26 on Mar 27, 2024 |
# ? Mar 27, 2024 18:20 |
|
huh the facebook vpn people thought was just to steal data was used to steal data
|
# ? Mar 27, 2024 18:25 |
|
mystes posted:Edit: Also I don't think this is new information and I think people are just looking at documents that were just released from the class action suit and thinking that out of context they might sound worse than the previously known information, which they probably aren't ya i remember reading about that vpn lawsuit a while ago but the newly de-redacted(?) details is good info
|
# ? Mar 27, 2024 19:48 |
|
mystes posted:
This was my first reaction. On second thought though I realized due to living in hell the user's consent doesn't matter because the data doesn't belong to them, it belongs to snapchat and the other app owners. Meta wasn't stealing from the users, they were stealing from businesses. That's why they could actually face consequences.
|
# ? Mar 28, 2024 06:18 |
|
Salt Fish posted:This was my first reaction. On second thought though I realized due to living in hell the user's consent doesn't matter because the data doesn't belong to them, it belongs to snapchat and the other app owners. Meta wasn't stealing from the users, they were stealing from businesses. That's why they could actually face consequences. Yuuuuuupp
|
# ? Mar 28, 2024 15:31 |
|
Salt Fish posted:This was my first reaction. On second thought though I realized due to living in hell the user's consent doesn't matter because the data doesn't belong to them, it belongs to snapchat and the other app owners. Meta wasn't stealing from the users, they were stealing from businesses. That's why they could actually face consequences.
|
# ? Mar 28, 2024 16:26 |
|
why is Zuckerberg such a huge piece of poo poo?
|
# ? Mar 28, 2024 17:20 |
|
Last Chance posted:why is Zuckerberg such a huge piece of poo poo? we take these truths to be self evident
|
# ? Mar 28, 2024 17:25 |
|
Last Chance posted:why is Zuckerberg such a huge piece of poo poo? always has been 👩🚀
|
# ? Mar 28, 2024 17:50 |
|
Carthag Tuek posted:ya i remember reading about that vpn lawsuit a while ago but the newly de-redacted(?) details is good info it is simply dacted now
|
# ? Mar 28, 2024 17:57 |
|
the docs so nice they dacted them twice
|
# ? Mar 28, 2024 17:58 |
|
Salt Fish posted:This was my first reaction. On second thought though I realized due to living in hell the user's consent doesn't matter because the data doesn't belong to them, it belongs to snapchat and the other app owners. Meta wasn't stealing from the users, they were stealing from businesses. That's why they could actually face consequences. But it does feel like there's something weird about the whole situation? It's sort of like an "everything is securities law" type situation where there's a disconnect between the actual problem and what they are getting trouble for. Specifically, it seems weird that the collection of users' (and minors') data is only is being treated as a problem here because, even if they had consent and were paying people for it, because it was targeting another company's app, they had to use a somewhat sketchy-looking approach to decrypt traffic and evade app store policies that use protection of users mainly as an excuse to restrict competition Whereas, for example, presumably an ISP can do whatever the gently caress it wants and because it's not trying to evade an app store policy it won't become an issue
|
# ? Mar 28, 2024 18:14 |
|
mystes posted:
on the other hand, an ISP is not installing a root ca on your device so that they can decrypt and inspect your traffic
|
# ? Mar 28, 2024 18:38 |
|
they would be if they thought they could get away with it
|
# ? Mar 28, 2024 18:41 |
|
Last Chance posted:why is Zuckerberg such a huge piece of poo poo? billionaires are pieces of poo poo, tech bros are pieces of poo poo, and 20-year-olds (where his emotional development was frozen by $$$) are pieces of poo poo
|
# ? Mar 28, 2024 18:54 |
|
post hole digger posted:the docs so nice they dacted them twice more dacta!
|
# ? Mar 28, 2024 20:03 |
|
i have not been following the latest unredactions here were they really installing a CA certificate and re-terminating the TLS traffic or were they installing some kind of MDM profile that enabled a traditional HTTP proxy for particular hostnames i guess it doesn't really matter all that much but one of them fucks with the CA/WebPKI ecosystem and the other is just a standard enterprise feature used in a hilariously inappropriate fashion seems kind of mindboggling that either of these approaches would be something allowed in the apple or google ecosystems, that's like just malware? like there just shouldn't be interfaces to control this poo poo programmatically from random mobile apps
|
# ? Mar 28, 2024 20:49 |
|
they were using an Apple enterprise developer account, which, yes, is not supposed to be used for that. but Apple isn’t going to audit your IT department to make sure the private app you deploy to your employees managed devices isn’t doing shady poo poo. one reason they were so pissed when they found out about it so they were definitely doing #2 regardless but I don’t o ow the technical details of the Snapchat snooping
|
# ? Mar 28, 2024 21:21 |
|
https://youtu.be/WkLvpxImRGw?si=uV0D64rpXDP11ceg I sub to this guy… hope he’s not a pos cause I know nothing about him. but I feel it’s a good explanation. now to figure out how to explain it to family members
|
# ? Mar 28, 2024 21:27 |
|
shackleford posted:i have not been following the latest unredactions here were they really installing a CA certificate and re-terminating the TLS traffic or were they installing some kind of MDM profile that enabled a traditional HTTP proxy for particular hostnames The dubiousness kind of depends on what they told users but if you want users to participate in research that involves mitming ssl connections from mobile apps, unless you want to have them install a hacked app (which probably isn't an option on ios) or jailbreak their phone, this is probably the one method that works, and if you did the mitming on the device and ensured that the data it collected didnt' have any personal information, it isn't inherently unethical (not saying this was necessarily the case for facebook) mystes fucked around with this message at 21:32 on Mar 28, 2024 |
# ? Mar 28, 2024 21:27 |
|
It's also more confusing because I guess they bought an existing vpn app but also made their facebook research app which they specifically asked people to install. To be clear if they were collecting data from people who thought they were using a normal vpn that's gross, but paying people to allow them to do research to understand snapchat is not necessary gross. I haven't read about the details of who they were collecting what from, but some of the articles seem potentially misleading in terms of conflating these things, which is probably based on what the plaintiff's lawyers are saying in the lawsuit. This is partly facebook's fault for doing this in an intentionally confusing way but at least some of that confusingness seems to have been intended to be directed at Apple which is not really problematic and I feel like there could be an attempt here by the plaintiffs' lawyers to kind of make it sound like that confusingess was directed at the users to make it shadier than it is and I"m not sure whether or not that was actually the case Trying to lie to apple is imo not an issue but if they lied to the people they were collecting the data from that's a big issue. It is necessary to distinguish those things and it is not helpful if people intentionally don't do that because ignoring the distinction makes it easier to be like "oh my god facebook was stealing all the internet traffic of all facebook users they should go to jail" that way (if they're doing that; I"m too busy right now to actually try to look into whether they are) mystes fucked around with this message at 21:38 on Mar 28, 2024 |
# ? Mar 28, 2024 21:34 |
|
namlosh posted:https://youtu.be/WkLvpxImRGw?si=uV0D64rpXDP11ceg The original article said (imo it sounds like it is written intentionally misleadingly): quote:Facebook's IAAP Program used nation-state-level hacking technology developed by the company's Onavo team, in which Facebook paid contractors (including teens) to designate Facebook a trusted "root" Certificate Authority on their mobile devices, then generated fake digital certificates to redirect secure Snapchat analytics traffic (and later, analytics from YouTube and Amazon) from Snapchat's servers to Onavo's; decrypted these analytics and used them for competitive gain, including to inform Facebook's product strategy; reencrypted them; and sent them up to Snapchat's servers as though it came straight from Snapchat's app, with Facebook's Social Advertising competitor none the wiser. I don't like the way this is written because when you read "Facebook's IAAP Program used nation-state-level hacking technology developed by the company's Onavo team, in which Facebook paid contractors (including teens) to designate Facebook a trusted "root" Certificate Authority " it initially sounds for a second like they became a trusted CA but when you read it closely it sounds like they were paying specific people to manually install their CA cert
|
# ? Mar 28, 2024 21:49 |
|
minor entrust updates: on the topic of: Entrust: Delayed revocation of clientAuth TLS Certificates without serverAuth EKU Paul van Brouwershaven posted:We are working with 114 customer accounts to revoke and re-issue 1,176 affected clientAuth TLS Certificates without the serverAuth EKU. Here is a summary of our progress as of this posting: Ryan Dickson posted:Hi Bruce,
|
# ? Mar 28, 2024 22:51 |
|
mystes posted:This is implying that Facebook was MITMing all traffic from the Onavo vpn but it doesn't sound like this was possible? I think it was possible, if you had users install a device management profile (typically used for MDM). that was something that VPNs had to do back then because it was the only way of setting the networking parts up correctly, but enterprises—and IIRC from when this was revealed in 2018, Onavo-at-Facebook—could also use it to install an internal root for internally-issued certs Onavo was then combining the VPN’s interception of traffic with the trusted root’s ability to issue certificates, to see all traffic in the clear (possibly avoiding the set of hostnames hardcoded into the browser’s high-value-target list, which insists on certs with a specified signature chain) in iOS 16(?) Apple added a different system of profiles that let VPN applications manipulate the routing and virtual device pieces without letting them install a root, AIUI, so this would be harder to hide today I think the enterprise developer account thing was something else, about test builds getting updated outside of the App Store flow (which the internal builds definitely did, and I guess they wanted a broader tester base)
|
# ? Mar 28, 2024 23:05 |
|
Ars has a good writeup of the details: https://arstechnica.com/tech-policy/2024/03/facebook-secretly-spied-on-snapchat-usage-to-confuse-advertisers-court-docs-say/ it also says that people were paid to install the kits but under a 3rd party label and it was not clearly mentioned that facebook would be benefiting from the data
|
# ? Mar 28, 2024 23:10 |
|
https://arstechnica.com/gadgets/2024/03/netflix-ad-spend-led-to-facebook-dm-access-end-of-facebook-streaming-biz-lawsuit/ facebook letting netflix read private DMs for show recs and people wonder why I don’t want to use whatsapp for anything important
|
# ? Mar 28, 2024 23:16 |
|
where’s the detail about them being able to read DMs? it says they have access to the Titan API, but to access users’ “messaging app and non-app friends”. when I read that before I thought it was to let them send messages on the Netflix user’s behalf, to do things like watch parties or recommendation messages or whatever is there something more somewhere about the DM access? very curious now
|
# ? Mar 28, 2024 23:27 |
|
Subjunctive posted:where’s the detail about them being able to read DMs? it says they have access to the Titan API, but to access users’ “messaging app and non-app friends”. when I read that before I thought it was to let them send messages on the Netflix user’s behalf, to do things like watch parties or recommendation messages or whatever It’s spread throughout the article but in particular there’s a part that reads: quote:
|
# ? Mar 28, 2024 23:33 |
|
Subjunctive posted:where’s the detail about them being able to read DMs? it says they have access to the Titan API, but to access users’ “messaging app and non-app friends”. when I read that before I thought it was to let them send messages on the Netflix user’s behalf, to do things like watch parties or recommendation messages or whatever
|
# ? Mar 28, 2024 23:34 |
|
sb hermit posted:It’s spread throughout the article but in particular there’s a part that reads: What the actual gently caress
|
# ? Mar 28, 2024 23:34 |
|
|
# ? Apr 28, 2024 22:18 |
|
is that read access or write access? the inbox API I remember was just for sending messages to people directly (vs the messenger-for-business-pages stuff), which is why it was called that, but it might have changed
|
# ? Mar 28, 2024 23:35 |