Cheraw Chronicle

Complete News World

Documents proving how Facebook eavesdrops on Snapchat users via VPN – IT Pro – News

It is not necessary.
If you have a VPN, DNS traffic also goes through that VPN (unless it is “leaked”). The VPN server's DNS server now says that the “that guy in the middle” server is now snapchat.com.
Facebook creates a certificate for snapchat.com. Snapchat is now available to the man in the middle of Facebook.

It seems that Snapchat did not check if the certificate used was valid (signed by a public CA, or even better. A certificate known from SnapChat itself.), but only checked that that certificate.
Facebook decrypts the traffic, analyzes it, encrypts it back to the real Snapchat, etc.

This will not work easily with a browser, because it has a number of standard CAs (which your browser software has checked for you and found to be safe/trusted.) In order for it to work, your browser must be granted a new CA.
You often see this construct among employers. They send an “internal CA” to browsers (for internal sites), but they also have a transparent proxy server. TLS request to www.willekeurigewebsite.nl Begins. The proxy creates a certificate for that website “on the fly” and transmits it to the Internet. This way, the employer can check whether the websites in question are safe/allowed, and can still monitor when necessary.
What you see in practice is that it doesn't work for “extended security” sites like banks and the like to find a balance with ensuring employee privacy.

In any case. The fact that this happened with the Snapchat app also means that Snapchat itself has made mistakes as well. If they had maintained order, this would not have happened. (However, this was another even more ridiculous prank by the obnoxious Facebook)