Snapchat Photos Apparently Leaked

Latest Compromise Highlights Third-Party Risks
Snapchat Photos Apparently Leaked

Users of Snapchat may have had their photographs leaked online through the apparent compromise of Snapsaved, an unrelated, third-party service that stores Snapchat photos that would otherwise have been deleted after several seconds.

See Also: Unlocking IAM - Balancing Frictionless Registration & Data Integrity

The incident highlights the risks users face when providing credentials to a third-party service or application that extends or modifies an original service, says Satnam Narang, senior security response manager at Symantec.

"You are taking a risk of having your information compromised," Narang says. "These third-party services can promise numerous benefits, but they aren't beholden to you and, in some cases, may not even be a real business."

Third Party Hacked

As many as 200,000 leaked photographs are apparently being shared on online message boards, according to a report in the New York Times. A user of the 4chan message board claimed to have hacked the Snapsaved service to gain access to the photos, the report says.

Snapchat says that its servers were never breached and were not the source of the leaks. "Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our terms of use precisely because they compromise our users' security," Mary Ritti, a spokesperson for Snapchat, tells Information Security Media Group.

"We vigilantly monitor the iTunes App Store and Google Play for illegal third-party apps and have succeeded in getting dozens of these removed," she says.

In a statement posted to Snapsaved's Facebook account on Oct. 11, the company confirmed that its database was hacked, which resulted in 500MB of images being compromised.

"The majority of our users are Swedish, Norwegian and American," the company says. "I sincerely apologize on the behalf of Snapsaved.com. We never wished for this to happen. We did not wish to cause Snapchat or their users any harm. We only wished to provide a unique service."

Snapsaved has deleted its entire website and the database associated with it, the company says.

Analyzing the Compromise

In this particular incident, users signed up for the Snapsaved service because they wanted to circumvent the way Snapchat works, Symantec's Narang says. "Users should understand the risks they're taking by putting their information in the hands of a third party," he says.

"While Snapchat and other primary service providers may state in their privacy policies that they do not store a user's data, photos or videos, the third-party providers abusing the Snapchat API may do just that," Narang adds.

Companies should warn their users about the risks of utilizing third-party applications. "However, the onus is ultimately on the user to make that judgment call," Narang adds.

Still, companies should be aware of any flaws or vulnerabilities within their apps and services and bear the responsibility of patching and plugging them so that they cannot be taken advantage of, he says. "Both the end user and service provider need to be diligent."

FTC Settlement

Back in May, Snapchat settled with the Federal Trade Commission over its complaint that users who logged into the Snapchat server through third-party applications could save photo and video messages indefinitely (see: Snapchat Settles FTC Privacy Case). The service's deletion feature only functions in the official Snapchat app, the FTC says.

Among other allegations, the FTC complaint alleges that Snapchat stored unencrypted video messages on a recipient's device outside of the application's "sandbox," meaning the videos remained accessible to recipients who connected their device to a computer and accessed the video messages through the device's file directory.

Under the terms of its settlement, Snapchat is prohibited from misrepresenting the extent to which it maintains the privacy, security or confidentiality of users' information. Snapchat also agreed to launch a comprehensive privacy program that will be monitored for the next 20 years.

Breach Investigation

The FTC's investigation was triggered by a January breach incident in which a group of hackers using the name SnapchatDB claimed to have compromised the usernames and phone numbers of as many as 4.6 million Snapchat users (see: Snapchat Hack Affects 4.6 Million).

SnapchatDB says it downloaded the information using an exploit in Snapchat and then posted it to a website called SnapchatDB.info, according to the Washington Post. The site has since been suspended.

The breach followed a report posted on Dec. 25 from a security group called Gibson Security that highlighted a Snapchat vulnerability that could enable an attack involving compiling a database of Snapchat usernames and phone numbers.

On May 8, Snapchat acknowledged the FTC settlement in a blog post. "Even before today's consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description and in-app just-in-time notifications," the blog states. "And we continue to invest heavily in security and countermeasures to prevent abuse."


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.