Facebook’s drama continues with another privacy breach. The company’s initial user breach included 50 million users’ information and has resulted in Facebook being investigated by the FTC.
The company’s Onavo VPN service has been reported as “effectively installing spyware on iPhones and iPads.”
Facebook’s VPN was discovered to be collecting far more data on users than first reported. Will Strafach, a security researcher, used a Packet Tunnel Provider app to send data back to Facebook even when the VPN app wasn’t being used.
Strafach explains his findings on Medium. He claims the app flushes collected information from memory to log files if there are more than 49 “events” in memory. The move allows for data to then be put into log files that are sent back to Facebook via a network request. Periodic analytics data is uploaded to Facebook often after the app is installed and when the Onavo app is not open.
“For confidentiality purposes, a good provider should not store metadata, loggings of their users. It makes it stand reliable and secure by remaining anonymous. It makes your information safe and does not reach any third party,” states https://topVPNchoice.com.
Strafach explains that Facebook collects information including:
- iPhone turns off and on details
- Data usage
- Daily WIFI usage
VPN services are known to collect data in an effort to improve their services, but Onavo’s data collection seems to collect data that is irrelevant to how the VPN service operates or benefits the end-user.
The National Inquirer reports their correspondence with Onavo product manager Erez Naveh. The statement from Naveh claims that since Onavo is part of Facebook, some of the information is used to improve Facebook services and products. Naveh claims that users know about the activity taking place and that the company listens to user feedback to make updates to their app.
Onavo does claim to “collect your mobile data traffic.” This is a red flag for security experts because VPN’s are often used for anonymity of traffic. Higher-end VPN services are known to not collect data, store logs or keep records on users.
The statement that the data may also be used by Facebook and for Facebook products indicates that the data collected may be used on the company’s targeted advertising platform.
Onavo’s privacy concerns grow deeper since all data is sent through the VPN, meaning that Facebook can track specific app data and everything a user effectively does on their phone. The VPN does not need to be active to collect the data. The app spies on the user even when it’s not active. Users can opt to uninstall the app completely to stop their data from being collected.
Cisco also got in trouble last month related to the company’s VPN flaw. The flaw was considered a high-severity bug, which had been concealed for 80 days before the company announced it to the public.
The company’s Adaptive Security Appliance (ASA) software was found to have a bug that allowed a remote hacker to “own” ASA devices that had the webvpn feature enabled.