Snapchat Photos Apparently LeakedLatest Compromise Highlights Third-Party Risks
Users of Snapchat may have had their photographs leaked online through the apparent compromise of Snapsaved, an unrelated, third-party service that stores Snapchat photos that would otherwise have been deleted after several seconds.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The incident highlights the risks users face when providing credentials to a third-party service or application that extends or modifies an original service, says Satnam Narang, senior security response manager at Symantec.
"You are taking a risk of having your information compromised," Narang says. "These third-party services can promise numerous benefits, but they aren't beholden to you and, in some cases, may not even be a real business."
Third Party Hacked
As many as 200,000 leaked photographs are apparently being shared on online message boards, according to a report in the New York Times. A user of the 4chan message board claimed to have hacked the Snapsaved service to gain access to the photos, the report says.
"We vigilantly monitor the iTunes App Store and Google Play for illegal third-party apps and have succeeded in getting dozens of these removed," she says.
In a statement posted to Snapsaved's Facebook account on Oct. 11, the company confirmed that its database was hacked, which resulted in 500MB of images being compromised.
"The majority of our users are Swedish, Norwegian and American," the company says. "I sincerely apologize on the behalf of Snapsaved.com. We never wished for this to happen. We did not wish to cause Snapchat or their users any harm. We only wished to provide a unique service."
Snapsaved has deleted its entire website and the database associated with it, the company says.
Analyzing the Compromise
In this particular incident, users signed up for the Snapsaved service because they wanted to circumvent the way Snapchat works, Symantec's Narang says. "Users should understand the risks they're taking by putting their information in the hands of a third party," he says.
"While Snapchat and other primary service providers may state in their privacy policies that they do not store a user's data, photos or videos, the third-party providers abusing the Snapchat API may do just that," Narang adds.
Companies should warn their users about the risks of utilizing third-party applications. "However, the onus is ultimately on the user to make that judgment call," Narang adds.
Still, companies should be aware of any flaws or vulnerabilities within their apps and services and bear the responsibility of patching and plugging them so that they cannot be taken advantage of, he says. "Both the end user and service provider need to be diligent."
Back in May, Snapchat settled with the Federal Trade Commission over its complaint that users who logged into the Snapchat server through third-party applications could save photo and video messages indefinitely (see: Snapchat Settles FTC Privacy Case). The service's deletion feature only functions in the official Snapchat app, the FTC says.
Among other allegations, the FTC complaint alleges that Snapchat stored unencrypted video messages on a recipient's device outside of the application's "sandbox," meaning the videos remained accessible to recipients who connected their device to a computer and accessed the video messages through the device's file directory.
Under the terms of its settlement, Snapchat is prohibited from misrepresenting the extent to which it maintains the privacy, security or confidentiality of users' information. Snapchat also agreed to launch a comprehensive privacy program that will be monitored for the next 20 years.
The FTC's investigation was triggered by a January breach incident in which a group of hackers using the name SnapchatDB claimed to have compromised the usernames and phone numbers of as many as 4.6 million Snapchat users (see: Snapchat Hack Affects 4.6 Million).
SnapchatDB says it downloaded the information using an exploit in Snapchat and then posted it to a website called SnapchatDB.info, according to the Washington Post. The site has since been suspended.
The breach followed a report posted on Dec. 25 from a security group called Gibson Security that highlighted a Snapchat vulnerability that could enable an attack involving compiling a database of Snapchat usernames and phone numbers.