> How did they man-in-the-middle this HTTPS traffic?
The easiest way would be to use a HTTPS debugging proxy like Charles.
But really, since the testers control the client device, they can do whatever they want.
The problem is that 3fun trusts the client to keep other users data private. This is pretty obviously a bad idea, since attackers can modify the client in pretty much any way they like.
They are using Burp to proxy the HTTP requests. Assuming there's no proper CA validation on the client side or client certificates, it's quite trivial.
The easiest way would be to use a HTTPS debugging proxy like Charles.
But really, since the testers control the client device, they can do whatever they want.
The problem is that 3fun trusts the client to keep other users data private. This is pretty obviously a bad idea, since attackers can modify the client in pretty much any way they like.