Hackers posting on anonymous message board 4chan made good on threats and published 13GB worth of stolen images from Snapchat users. This amounts to over 200,000 images and videos.
Snapchat immediately denied that its servers were breached, instead blaming unauthorized third-party sites and apps for the leak. Snapsaved.com, the website responsible for the leaked images admitted on Facebook that its site was hacked, though it disputes the amount of stolen data was limited to 500MB and not 13GB.
Interestingly, Snapsaved.com also admits to reviewing its users images. Here’s the official statement from the website.
“Snapsaved has always tried to fight child pornography, we have even gone as far, as to reporting some of our
Users to the Swedish and Norwegian authorities.
As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database
Associated with it. As far as we can tell, the breach has effected 500MB of images, and 0 personal information
From the database.”
4chan has since taken down posts linking to the images as many of the leaked images feature under-aged teens, which constitutes as distribution of child pornography.
How did this leak happen?
Although this leak may be shocking for some Snapchat users, the problem has been around for a while. Snapchat doesn’t offer official developer tools for third-party apps, but a developer reverse-engineered tools and posted them publicly. Snapchat is aware this code it out there, but can’t do much about it since it’s already been widely distributed.
This code allows any developer to create apps and sites that tap can make requests to Snapchat’s servers. Snapchat is correct that its servers haven’t been breached because these apps don’t rely on breaking into the company’s servers but sniffing out traffic instead.
Reverse-engineering Snapchat is surprisingly simple. The Verge spoke with one developer who simply downloaded the official Snapchat app onto his iPhone and was able to reverse-engineer it in a matter of hours.
“Every company is a victim to this potential attack vector.”
“If you look at Windows Phone’ [sic] store for example, it’s lacking a serious amount of first-party apps, but people have made third-party ones anyway. Every company is a victim to this potential attack vector,” said the developer.
Is Snapchat doing anything about it?
Photos and videos sent to Snapchat are encrypted and use the secure communications protocols, HTTPS and SSL. Unfortunately, the encryption key is easily found and thwarted. This means third-party apps can make requests to Snapchat and the company won’t be able to distinguish it from its official apps. Still, this relies on Snapchat users handing over their usernames and passwords for these apps and sites to work.
Snapchat also relies on Apple and Google to police its app stores for these unofficial third-party apps. At the beginning of this year, Snapchat launched a major assault against these apps in Google Play.
Snapchat has cracked down on unauthorized apps in app stores.
A quick search now reveals that a majority of these apps are gone, but a few still exist in app stores. However, Android users can look outside Google Play to download these apps. There are also websites anyone can access that let you view and save images from your Snapchat.
Should I avoid all unofficial Snapchat sites and apps or are there ones that are safe?
These unofficial apps could also be saving your photos and videos without you knowing or selling your friends list to spammers.
Should I stop using Snapchat?
If you want your messaging to be truly secure, yes, you should leave Snapchat. However, if you just want an app that’s good for sharing photos and videos quickly, there’s no reason to leave Snapchat yet. Yes, the company has a long way to go to fix its security issues but if you stick with using the official apps, you should be safe.
There are plenty of secure messaging apps that help you control what you send. BitTorrent’s Bleep messenger connects two people directly, instead of relying on a server to push messages. Protesters in Hong Kong flocked to Firechat last week for its off-the-grid messaging abilities.
For more about how to keep your photos safe, check out our guide on how to protect your private pictures.
Follow me on Twitter: @lewisleong