Last week, popular photo-sharing service Snapchat made headlines after photos its users had sent were leaked on 4chan, an online forum where photos obtained in other high-profile breaches have been previously released. Over the weekend, Snapsaved.com, an unauthorized website that enabled Snapchat users to save snaps, acknowledged that it was the source of the incident.
According to Snapsaved.com, a Web server misconfiguration allowed an attacker to access some of the content it had saved on behalf of Snapchat users who signed up for its service. However, Snapsaved.com, which no longer appears to be operational, stated that certain claims made by the attacker were not accurate. For instance, it says that no personal information associated with users was accessed as part of the breach. Snapchat itself was not hacked.
It's Not Snapchat's Fault, or Is It?
Snapsaved.com's admission that it was hacked should ease some of the scrutiny Snapchat has found itself under following this latest incident, which has been dubbed the Snappening, but the real issue is that Snapsaved.com exists in the first place.
As SmartBear's John Mueller pointed out, "It’s relatively easy to find full documentation for Snapchat’s API online, along with notes about how to exploit it to do things like download all of the images that someone is sending to someone else, grab Snapchat usernames and telephone numbers, or even replace the images that a sender is sending to a recipient with something else."
Mueller notes that Snapchat does not securely delete snaps and that its use of encryption may be flawed. "Some of the more interesting bits of information you can find online is that Snapchat uses symmetric encryption and that the encryption key is hidden in plain sight," he explained. "The form of encryption is also suspect in that it relies on Advanced Encryption Standard (AES) in Electronic Code Book (ECB) mode, which is easily cracked even if you don’t know the key from the outset. So, anyone who wishes really can look at all your data without too much trouble at all."
This raises serious questions: Just how seriously is Snapchat taking security, and what is the likelihood that the company will be able to prevent future breaches, either of its own service or of unauthorized third-party services like Snapsaved.com?
Snapchat Working on a Public API, But Taking Its Time
Despite criticisms over its approach to security, Snapchat is still adamant that developers of unauthorized apps and its own users bear responsibility for the Snappening. In a blog post, the company reiterated:
A third-party application is any application that accesses the Snapchat API, but hasn’t been built and maintained by our company. Given the popularity of Snapchat and the size of our community, it’s no surprise that a cottage industry of app-makers has popped up to provide additional services to Snapchatters. Unfortunately, these applications often ask for Snapchat login credentials and use them to send or receive snaps and access account information.
When you give your login credentials to a third-party application, you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf.
While Snapchat says that it will continue to push Apple and Google to shutter unauthorized apps that use its undocumented API, it also hinted that it's working on an official public API, writing, "It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem. That’s why we haven’t provided a public API to developers and why we prohibit access to the private API we use to provide our service. Don’t get us wrong — we’re excited by the interest in developing for the Snapchat platform — but we’re going to take our time to get it right."
The big question is just how much time Snapchat can afford to take. Every security breach, whether Snapchat's fault or not, impacts the company's brand and gives users another reason to question whether they can trust the service. Worth keeping in mind: There is no way for users to know that they're sending snaps to other users who are using unauthorized apps and whose accounts are at risk. As a result, Snapchat users who heed the company's warnings could still fall victim to the unofficial ecosystem that has developed around Snapchat.
Unless Snapchat is able to make it significantly more difficult for third-party developers to build unauthorized apps, the creation of an official ecosystem that users can trust — and soon— could prove critical to the highflying company's long-term viability.