Snapsaved Admits Photo Hack Exposed Snapchat Users

Written by

The internet rumour-mill was in overdrive over the weekend as news emerged of another potential leak of intimate private photos, this time of Snapchat users.

Users on 4Chan, the image board via which many of the iCloud celebrity photos were shared, have been abuzz with what has been dubbed “The Snappening” – a reference to iCloud leak “The Fappening.”

Rumours suggested as many as 200,000 accounts may have been compromised, with potentially intimate photos of children among the batch, although others dismissed it as a hoax, claiming many of the photos that have appeared were already publically available on other sites.

To confuse matters further an anonymous poster took to Pastebin on Saturday to claim they would not be releasing any of the hacked content.

Snapchat itself has claimed that it wasn’t hacked, and shifted blame onto third party apps.

The firm had the following in a statement:

“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

Snapsaved.com, a web-based client that allows users to access Snapchat images, admitted it was to blame for the leak, but moved quickly to dampen speculation about the size of the data dump and the nature of the content.

The firm said it was hacked thanks to a “misconfiguration in our Apache server,” but claimed that there not enough information was stolen to allow the attacker to create a “searchable database” of images.

It added:

Snapsaved has always tried to fight child pornography, we have even gone as far, as to reporting some of our users to the Swedish and Norwegian authorities. As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has affected 500MB of images, and 0 personal information from the database…

Our users had to consent to all the content they received via SnapSaved.com, as we mentioned, we tried to cleanse the database of inappropriate images as often as possible.”

Charles Sweeney, CEO of web filtering company Bloxx, argued that users shouldn’t be lulled into a false sense of security when using third party services associated with a trusted provider, as often they don’t have the same security credentials.

“Equally this is a case in point that providers can't afford to be caught out either,” he told Infosecurity.

“Whilst Snapchat has tried to distance itself from the event, ultimately it’s their brand that is being associated with the hack. Companies need to give due consideration to  either a) asking third party providers to make their security policies clear from the get go, or b) make it clearer – and not just within their own Terms of Use – that their security policies do not cover third parties."

Patrick Wardle, director of research at start-up Synack, argued that the incident proves that everyone sending images via Snapchat could be at risk if the recipient has subscribed to a third party service storing said images.

“Part of the issue lies in Snapchat’s core architecture – messages and photos are designed to be sent and decrypted on Snapchat servers before they are sent to the recipient, opening the door for compromise. Furthermore they are encrypted using a known key,” he added. 

“Users may opt to use a more secure solution such as Wickr, where the messages are only readable by the recipient.”

Snapchat itself was at the centre of a privacy storm earlier this year when it emerged that photos are not in fact deleted from the recipient mobile device as claimed but merely hidden – resulting in a complaint to the FTC.

What’s hot on Infosecurity Magazine?