SHAFAQNA – Snapchat has long been one of the favorite piñatas of the privacy crowd, criticized for encouraging teens to send nude pictures with dubious promises of ephemerality. But as the seedier corners of the Internet buzzed Friday over news of a 13 gigabyte leak of Snapchat messages, the service has pointed the finger instead at an unauthorized third party application as the source of the leak.
Snapchat is right, say security researchers who have warned the company of its third-party problem for years: Unauthorized parasite apps do pose a serious risk to Snapchatters. And despite the company’s efforts, there’s no easy fix for that backdoor into their not-so-disappearing data.
On Friday morning, the denizens of the anonymous forum 4chan were digging through what they described as a massive collection of photos and videos from the website Snapsaved.com, mostly searching for nude images sent by unsuspecting girls. The exact nature of the leak hasn’t in fact been confirmed—not an easy task considering it likely contains teens’ photos legally defined as child pornography—and 4chan removed the thread from its site Friday afternoon. But the Norwegian newspaper Dagbladet reports that the data cache contains 200,000 stolen images.
But even if Snapchat users’ data was accessed via someone else’s servers, that doesn’t make the breach any less of Snapchat’s problem, says security researcher Adam Caudill. He’s been reverse engineering Snapchat’s API to demonstrate exactly the problem of rogue third party apps for years. “Your average developer can build something in a day’s time that interacts with Snapchat’s API and saves everything that comes through it,” Caudill says. “Quite honestly, I’m surprised this hasn’t happened sooner.”
Caudill first warned Snapchat in 2012 that he had analyzed its API and could build a pirate app that stripped out its time-deletion features. “Given the nature of the application, I suspect unofficial clients are unavoidable…especially as the service grows in popularity,” he wrote at the time.
Snapchat soon reworked its API, but Caudill showed just months later that he could still pull off the same tricks.
Caudill’s second warning in late 2012 was even stronger. “Snapchat needs to hire an outside security consultant to review their systems to identify the flaws such as those I’ve pointed out and provide real solutions,” he warned. “Until they do, there will continue to be these cat and mouse games—and they’ll lose every time.”
Three other researchers quickly came to the same conclusion independently. One published a tool for using Snapchat’s API, known as Snaphax. “It’d be one, maybe two hours of work to turn the above code into something I could just switch on and forget about, while it happily archives every Snapchat I ever receive,” wrote Yuki Izumi, one researcher who worked on the problem.
A quick glance through Android’s Google Play store and the iOS App Store shows the extent to which Snapchat has lost the “cat-and-mouse game” that Caudill describes. On Apple’s tightly-controlled platform alone, apps like Snapbox, Snapcrack and SnapGrab all offer to let you save and store your friends’ photos before they’re deleted. It’s not clear how those apps, like Snapsaved.com, stored users photos, but some like SnapSaved.com no doubt leave them far more vulnerable to hackers than would Snapchat itself. “If you are eager to save your friends’ wonderful photos on Snapchat before they disappear, SnapGrab is the only app you need!” reads the description for SnapGrab. “Every time you get a new snap, make sure you FIRST open the SnapBox app,” the description for SnapBox explains. “Your friends will never know you saved their snaps!”
Snapchat says it hasn’t given up on pursuing those unauthorized apps. “We have been successful in removing dozens of these 3rd party apps from the iTunes App Store and Google Play and continue to aggressively pursue the removal of the remaining apps and new ones that crop up,” the company said in its statement to WIRED.
But as long as Snapchat offers an insecure API for use by other services, hackers will reverse engineer it to break the company’s intended time-deletion protections. “At the end of the day, something like this is very difficult to protect against,” says Caudill. “Someone out there is going to be determined enough to reverse engineer the API and publish the details.”
A flaw in the concept
Snapchat could no doubt do more to make reversing that API more difficult and to convince Apple and Google to clean out apps that take advantage of it. It could also make clearer to users that they shouldn’t share their Snapchat credentials with unauthorized third party apps—though senders may not know that the recipient of a message is using one of those shady alternative programs.
Caudill says the problem is more fundamental. Without controlling the endpoint devices themselves, Snapchat can’t ensure that its users’ photos will truly be deleted. And by offering that deletion as its central selling point, it’s lured users into a false sense of privacy. “It’s not just an implementation issue. It’s a fatal flaw in the concept itself,” he says. “They represent to their users that they can expect a certain degree of privacy. If they can’t provide that protection, it’s on them.”