Snapchat is blaming unofficial, unauthorized apps for an apparent hack that has resulted in thousands of nude photos of users being released on 4chan, the same online forum where nude celebrity photos taken from hacked iCloud accounts were released.
Snapchat told VentureBeat that its systems were not breached. Instead, it says that use of "illegal third-party apps" were used to steal the photos of its users:
According to VentureBeat's Ruth Reader, some 200,000 accounts may have been implicated in this latest breach, which has been given the moniker "the Snappening." While it's not yet clear which app or apps are to blame, some reports indicate that web and mobile applications that allow Snapchat users to save photos are the culprits.
The dark side of unofficial APIs
Snapchat has been waging war with such apps for some time. The company, which is rumored to be in talks with Yahoo for an investment that would value the photo sharing startup at a whopping $10 billion, has not released an official API for public use, but that hasn't stopped developers from reverse engineering the company's API to create unofficial APIs of their own. These unofficial APIs are then used to build the so-called unauthorized apps.
One developer, Thomas Lackner, was targeted by Snapchat after he created Snaphax, a PHP Library that was based on his reverse engineering of the Snapchat API. "I think that all APIs should be open," Lackner stated in an interview at the time. "I think it’s a fundamental right that if you contribute data to a system, you should be able to GET it back out."
Snapchat, however, disagreed and accused Lackner of violating a provision of the Digital Millennium Copyright Act that forbids the circumvention of protections like Encryption. Snaphax hasn't been updated in more than a year, but that doesn't mean the reverse engineering has stopped.
Public APIs as component of API security
Other developers, such as a group called Gibson Security, have also reversed engineered the Snapchat API and highlighted what they claimed were easily exploitable security vulnerabilities. According to Gibson Security, some of the vulnerabilities it says it discovered went unfixed for months.
This highlights an inconvenient truth for companies: private APIs developed for internal use are subject to the same level of scrutiny as public APIs that are open to third parties. This is particularly true for popular services like Snapchat, which have millions of users and which are used to exchange private data on behalf of those users.
That raises an interesting question: can releasing a public API be a part of API security strategy for companies like Snapchat? While the launch of a public API involves numerous considerations, if the company was able to offer a public API, and launched an app store to distribute and promote authorized apps, it could help prevent incidents like "the Snappening." Malicious apps almost certainly wouldn't be entirely eliminated, but given Snapchat's popularity, it's likely well-intentioned developers would flock to participate in an official ecosystem.
Their apps, which would of course have to adhere to Snapchat's rules and use a revocable Authentication scheme like OAuth, would give users legitimate alternatives to the apps that are now implicated in an incident that is proving to be as embarrassing to some of Snapchat's users as it is to Snapchat itself.