Is Facebook Stealing Your Data? VPN Breach Revealed

Facebook has come under scrutiny for its alleged involvement in VPN data theft.

Tech analyst HaxRob, through his in-depth analysis, brought the issue to light, while tech journalist Naomi Brockwell further commented on it, revealing a complex web of user data interception and manipulation.

Facebook’s Alledge Data Theft Via VPN

HaxRob’s investigation unveiled that Facebook, leveraging its acquisition of Onavo, engaged in practices that could potentially intercept and analyze user data transmitted across other applications. By integrating root certificates into users’ mobile devices, Facebook purportedly could monitor and intercept traffic from a myriad of apps.

The controversy centers around Onavo. Before its removal from app stores, it ostensibly offered VPN services under the guise of user safety. However, archived descriptions and app functionalities hint at a darker purpose.

“This code, which included a client-side “kit” that installed a “root” certificate on Snapchat users’ mobile devices, also included custom server-side code based on “squid” through which Facebook’s servers created fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis,” a court filing reads.

Such actions not only breach user trust but also skirt the boundaries of ethical use of technology, as HaxRob pointed out, “The app managed to establish connectivity back to Facebook’s servers, despite presenting itself as a tool for user safety.”

Read more: What Is the Best VPN in 2024?

Naomi Brockwell’s comments further cement the severity of the situation. She described Facebook’s actions as a “man-in-the-middle attack,” accessing SSL traffic and sensitive user data without consent.

“Looks like Facebook did a man-in-the-middle attack using their VPN service to steal data from other apps. This enabled them to see all SSL traffic, by creating a fake digital certificate to impersonate Snapchat, YouTube, Amazon, etc,” Brockwell explained.

The technical dissection of the Onavo app’s operations reveals alarming permissions requests, including overlay capabilities over other apps, access to historical and deleted app usage, and the management of phone calls. Under the pretext of enhancing user safety, these permissions raise significant red flags about the extent of data Facebook could access and manipulate.

Critically, the practice of installing certificates for intercepting app traffic, though hindered by recent Android security improvements, showcases the lengths to which companies might go to gather user data. The exposure of such practices, including the potential collection of mobile subscriber IMSI numbers and the extensive telemetry data amassed from the app’s 10 million downloads, reflect the imperative for stringent regulatory oversight.

This incident is not isolated. It echoes previous fines, like the $20 million penalty imposed by Australia’s ACCC, highlighting the global concern over Facebook’s data handling practices.