Is Facebook stealing your data? A VPN breach has been reported

Facebook is under investigation for its involvement in VPN data theft.

Tech analyst Hackrobe sheds light on the issue with his in-depth analysis, while tech journalist Naomi Brockwell commented further on the issue, revealing a complex web of hacking and spoofing user data.

Facebook charges data theft via VPN

HaxRob's investigation has focused on Facebook's acquisition of Onavo, which can intercept and analyze user data transmitted by other applications. By integrating root certificates with users' mobile devices, Facebook is said to be able to monitor and intercept traffic from multiple applications.

The controversy centers around Onavo. Before it was released from the app store, it offered VPN services under the guise of user security. However, archived statements and app functionality hint at the blackened's intentions.

“This code included a client-side “kit” that installed a “root” certificate on Snapchat users' mobile devices, as well as custom server-side code based on “Squid” that created fake digital certificates to make Facebook's servers look authentic. Facebook's systematic analysis of Snapchat to confirm , YouTube and Amazon Analytics servers to redirect and decrypt secure traffic,” the court filing said.

In addition to violating user trust, such actions cross the boundaries of the ethical use of technology, as HaxRob pointed out, “The app, while presenting itself as a security tool for users, was able to communicate with Facebook's servers.”

Read more: What is the best VPN in 2024?

Naomi Brockwell's comment further confirms the seriousness of the situation. She described Facebook's actions as an “attack in the middle” such as accessing SSL traffic and sensitive user data without permission.

“It appears that Facebook used their VPN service to steal data from other apps in a man-in-the-middle attack. This allows them to create fake digital certificates to impersonate Snapchat, YouTube, Amazon, etc., allowing them to view all SSL traffic, Brockwell explained.

A technical breakdown of Onavo's app operations includes alarming permission requests, the ability to stack with other apps, historical and deleted app usage, and phone call management. Under the guise of increasing user security, these permissions raise significant red flags about the amount of data Facebook can access and use.

Crucially, the practice of installing certificates to intercept app traffic, although hampered by recent Android security updates, shows how far companies are going to collect user data. The exposure of such practices, including mobile subscriber IMSI numbers and extensive telemetry data collected from the app's 10 million downloads, reflects the need for stricter regulatory oversight.

This incident is not isolated. The $20 million fine by Australia's ACCC echoes previous fines, such as the one imposed by Australia's ACCC, highlighting global concerns over Facebook's data handling practices.