News & Stories

Facebook allegedly stole Snapchat’s data using an MITM attack

Ray Fernandez

Apr 4, 20247 min read

Facebook allegedly stole Snapchat's data using a MITM attack: Header image

Newly unsealed US court documents reveal that Meta (formerly Facebook) has engaged in aggressive and questionable tactics to overtake its competition since 2016. 

Released court documents show that Meta deployed a program called In-App Action Panel (IAAP) from 2016 to 2019.  Allegedly, under the IAAP program, developed and monitored by Mark Zuckerberg himself, Meta leveraged a cyberattack technique described as an SSL man-in-the-middle (MITM) attack. 

The document accuses Meta of gathering data by intercepting and decrypting information from Snapchat and, later, YouTube and Amazon. The data was allegedly used to fight any competitor that stood in the way of Meta’s market domination as a social media platform. 

Moonlock spoke with Irina Tsukerman, a US national security lawyer with a background in cybersecurity, a geopolitical analyst focused on information warfare, and President of Scarab Rising, Inc., to get the legal perspective on the news.

Zuckerberg accused of masterminding Project Ghostbusters

A federal court in California unsealed documents on March 26, 2024, which accuse Meta of engaging in illegal competition. The document claims that Meta’s IAAP program was not just anti-competitive but criminal and breached the Wiretap Act and other laws. 

While Meta has faced — and is currently facing — several legal actions, the accusations presented in this particular suit are worrying. 

The document claims that Meta created and ran programs to target its competition using wiretapping technologies. The document also presents evidence that includes emails from top executives who allegedly orchestrated and directed these cyberattack-style actions against rival companies, and emails from Mark Zuckerberg. 

“First, a mandatory disclaimer,” Tsukerman said. “Of course, there is a presumption of innocence even in cases where the bulk of the evidence points in the direction of illegal activity.”

“Setting that aside,” Tsukerman added, “what makes this case different from the various and assorted previous investigations into social media companies engaging in illicit surveillance activities is that it is a criminal case, and it is hard to imagine a situation where Meta would not be aware that it is overstepping its bounds in using its technologies to gather information on rival companies and private data without consent.”

The details of Facebook’s Project Ghostbusters

The IAAP program gained the internal name Project Ghostbusters — a reference to Snapchat’s ghost logo. On June 9, 2016, Mark Zuckerberg emailed three of the company’s top executives, saying, “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them…”

The document claims Zuckerberg wanted to access this encrypted Snapchat information.

“Given how quickly they’re growing,” Zuckerberg allegedly said, “it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

A screenshot of Vanish Mode, another feature Meta copied from Snapchat under its "copy, acquire, or kill" anti-competition strategy.
A screenshot of Vanish Mode, another feature Meta copied from Snapchat under its anti-competition strategy. Facebook and Instagram are trademarks of Meta Platforms, Inc.

“The righteous indignation could be seen in a different light if Meta’s other actions regarding spying techniques come under the microscope,” Tsukerman said. “In essence, the sum of Meta’s campaigning against commercial spyware is not about, as one would assume, concerns about data privacy, but about monopolizing the surveillance market.”

In essence, the sum of Meta’s campaigning against commercial spyware is not about, as one would assume, concerns about data privacy, but about monopolizing the surveillance market.

Irina Tsukerman, Scarab Rising, Inc.

According to the documents, Meta turned to Onavo, an Israeli web analytics company purchased by Meta in 2013. Onavo’s experience and skills in the consumer mobile app market, virtual private network (VPN) services, and web traffic analytics were leveraged to attempt to decrypt  Snapchat’s SSL-protected analytics traffic.

Onavo was shut down in 2019 after an investigation found that Meta had paid teenagers to use Onavo in an effort to gain their web behavior data. 

SSL man-in-the-middle attack: Illegally intercepting in-app usage data

The court document presents email evidence from top executives discussing the techniques they could use to access Snapchat’s encrypted data. One internal email presented their “current technical solution” as follows:

“We developed ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage (specific actions that people are performing in the app, rather than just the overall app visitation).”

Meta and Onavo describe this technique as a man-in-the-middle approach — a tactic used by cybercriminals where they position themselves between two ends of a communication channel, such as user and app, to intercept communications and data exchanges and use them for malicious purposes. 

The documents and evidence presented also allegedly show that Meta combined the server-side SSL bump “man-in-the-middle” approach to intercept and decrypt communications of Snapchat. This was allegedly developed and implemented at scale from June 2016 to early 2019, first against Snapchat and later against YouTube and Amazon. 

Allegations of illicit information gathering

SSL technologies were allegedly used by Meta with the goal of gathering not just basic usage and traffic data, but in-app user information, which translates to Meta knowing what users were doing in their competitor’s app. All this information was gathered without the consent or knowledge of users. 

“Worth noting, of course, is not only the allegation of illicit gathering of information, but also what happened to that data,” Tsukerman told Moonlock.

“Aside from using that information to unjustly enrich itself at the expense of its competitor and to monopolize this sphere,” said Tsukerman, “could this information have been used in other ways, such as to intimidate competitors, resell that data illegal to other companies or countries, or use it for unauthorized private purposes by some of the Meta employees?”

Meta is no stranger to legal cases and scandals, as this 2019 post shows. Mark Zuckerberg has been asked to testify to Congress more than once due to various Meta breaches.

Where the story begins: Klein v. Meta, 2020

The recently released documents are part of an ongoing four-year trial against Meta filed in 2020 by Maximilian Klein and Sarah Grabert. The case accuses Meta of unjust enrichment, breaching antitrust laws, monopolizing the social media market, and violating the Sherman Act. 

The claim asserts that Meta was attempting to use, and had successfully used, anti-competitive acquisitions and threats to “destroy competition” in the social media market. 

Tsukerman said that, looking at the 2020 legal action and the latest documents, “the totality of circumstances very much is pointing in the direction of Facebook taking various measures not only to undercut its potential competition through illicit measures that may fall short of industrial espionage but for sure involve unethical snooping, but also is seeking to eliminate government use of commercial spyware in order to gain full control the security aspect of the market as much as the social and financial aspects of it.”

The “Copy, Acquire, Kill” strategy

The document details how Meta tracked consumers’ personal data to identify competition strengths and eliminate them using a strategy of “copy, acquire, or kill.” Targeted companies included Instagram, Snapchat, and WhatsApp.

The accusations claim that “Facebook led a sustained effort to surveil smaller competitors to benefit Facebook, steps taken to abuse data, to harm competitors, and to shield Facebook from competition” and developed its own technology to surveil and spy on rivals.

According to the accusations, the sole purpose of Meta’s Onavo purchase was to use the company’s expertise under Facebook’s Growth team.

“To obtain extensive information on a user’s usage of mobile applications and of bandwidth, Onavo cloaked its spyware in VPNs, data compression, and even in mobile privacy apps,” the case reads, describing Onavo’s Protect VPN software as a “massive surveillance and data collection scheme.” 

By February 2018, Onavo spy apps had been downloaded 33 million times by Android and iOS users who were not aware that the app, disguised as a VPN, was actually spying on them.

Meta went further by trying to acquire Snapchat for $3 billion — a high offer that Snapchat would reject. When the “acquire” phase failed, Meta initiated the “copy” phase, allegedly using stolen data that allowed the company to copy all the most popular app features of Snapchat. 

Meta also used the “Copy, Acquire, Kill” strategy against WhatsApp and Amazon. 

A screenshot of Instagram Stories, a feature Meta copied from Snapchat under their "copy, acquire, or kill" strategy.
A screenshot of Instagram Stories, a feature Meta copied from Snapchat under their “copy, acquire, or kill” strategy. Facebook and Instagram are trademarks of Meta Platforms, Inc.

Final thoughts

It is unclear why Meta’s top executives would engage in such deceptive techniques to illegally obtain in-app user behavior data, especially considering that there are numerous legal ways that top companies can get data from their competitors.

This new document, if proven by a court of law to be truthful, could have serious reputational, financial, and legal consequences against Meta, a company accustomed to being in the spotlight of legal controversy.

It is still too early to know what defense strategy Meta will respond with, but considering that the trial has been ongoing for four years, further delays might continue. 

Has Meta reached a non-sustainable, long-run breaking point? Will public pressure and regulatory scrutiny intensify, forcing Meta to consider a more proactive strategy, such as increased transparency or addressing the core issues raised in the lawsuit? History says that such an outcome is, unfortunately, highly unlikely, but Tsukerman had a different take on the near future and potential consequences.

“Depending on how far this goes, we may be facing far more than antitrust violations,” Tsukerman said, “and if other social media companies are involved or coordinated anything remotely similar, the worst-case scenario could rise to the level of a RICO conspiracy (racketeering).”

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Meta Platforms, Inc. Facebook and Instagram are trademarks of Meta Platforms, Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.