Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Message Snooping. Show all posts

Facebook Spied on Users' Snapchat Traffic in a Covert Operation, Documents Reveal

 

In 2016, Facebook initiated a secret initiative to intercept and decrypt network traffic between Snapchat users and the company's servers. According to recently revealed court filings, the purpose was to better analyse user behaviour and help Facebook compete with Snapchat. Facebook dubbed it "Project Ghostbusters," an apparent homage to Snapchat's ghost-like emblem.

On Tuesday of this week, a federal court in California disclosed fresh documents acquired during the class action case between consumers and Meta, Facebook's parent company. 

The newly revealed documents show how Meta attempted to gain a competitive advantage over its competitors, namely Snapchat and later Amazon and YouTube, by analysing network traffic to see how its users interacted with Meta's competitors. Given that these apps use encryption, Facebook had to design specific technology to get around it. 

Facebook's Project Ghostbusters is described in one of the documents. In the letter, the customers' attorneys stated that the project was a part of the company's In-App Action Panel (IAPP) programme, which employed a method for "intercepting and decrypting" encrypted app traffic from users of Snapchat, and later from users of YouTube and Amazon. 

The document includes internal Facebook emails about the project. 

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.” 

Facebook developers' idea was to employ Onavo, a VPN-like service that the company acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that the business had been secretly paying teens to use Onavo so that it could monitor all of their web activity. 

Following Zuckerberg's email, the Onavo team took on the project and proposed a solution a month later: so-called kits that can be installed on iOS and Android to intercept traffic for specific subdomains, "allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage," reads a July 2016 email. "This is a 'man-in-the-middle' approach.” 

A man-in-the-middle attack, also known as adversary-in-the-middle, is one in which hackers intercept internet communication passing from one device to another over a network. When network communication is not encrypted, hackers can read data such as usernames, passwords, and other in-app activity.

Given that Snapchat's traffic between the app and its servers is encrypted, this network research technique is ineffective. This is why Facebook developers advocated adopting Onavo, which, when engaged, scans all of the device's network data before it is encrypted and transferred over the internet. 

Sarah Grabert and Maximilian Klein filed a class action lawsuit against Facebook in 2020, alleging that the company misled about its data collecting activities and used the data it "deceptively extracted" from users to find competitors and then unfairly compete with the new firms.

Email Bug Permits Message Snooping, Credential Theft

 

Researchers warned that hackers may snoop on email communications by attacking a flaw in the underlying technology used by most of the email servers that run the Internet Message Access Protocol or known as IMAP. 

The flaw was initially reported in August 2020 and was fixed on 21st June 2021. According to the Open Email Survey, it is linked to the email server software Dovecot, which is used by nearly three-quarters of IMAP servers. 

According to a paper by researchers Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences in Germany, the vulnerability allows for a meddle-in-the-middle (MITM) attack. 

In accordance with research linked to a bug bounty page, dated August 2020, “the vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker.” 

Dovecot version v2.3.14.1, a patch for the vulnerability is rated -severity by the vendor and critical by the third-party security firm Tenable, is available for download. According to a technical analysis provided by Anubisnetworks, the flaw revolves around the execution of the START-TLS email instruction, which is a command issued between an email program and a server that is used to protect the delivery of email messages. 

“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers stated. 

According to an OWASP description, a session fixation attack permits an adversary to take over a client-server connection once the user logs in. As per researchers, due to a START-TLS implementation issue in Dovecot, the intruder can log in to the session and transfer the entire TSL traffic from the targeted victim's SMTP server as part of its own session. 

“The attacker obtains the full credentials from its own inbox. At no point was TLS broken or certificates compromised,” the researchers wrote. 

For Dovecot operating on Ubuntu, a Linux version based on Debian, a fix for the issue, dubbed CVE-2021-33515, is now available. Ising and Poddebniak have provided workaround fixes for the vulnerability. Disabling START-TLS and configuring Dovecot to accept only “pure TLS connections” on port 993/465/995 is one solution. 

The researchers stated, “Note that it is not sufficient to reconfigure a mail client to not use START-TLS. The attack must be mitigated on the server, as any TLS connection is equally affected.”