Thousands of Snapchat images that users thought were erased have now been publicly posted in an attack that is being publicly referred to as the “Snappening.”
Snapchat is a popular temporary photo-sharing app for mobile devices that offers users the promise of ephemeral image sharing of pictures that aren’t supposed to be stored. Yet, apparently, in a massive attack, those images were stored and have now been released.
Many of Snapchat’s users are teenagers, and there is a risk that some of the photos are indecent. For its part, Snapchat is claiming that its servers were not breached.
“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our ToU [terms of use],” Snapchat stated in a Twitter message.
It is currently unclear which third-party app is the one to blame or if multiple apps are at fault.
Snapchat’s blaming a third-party app’s violation of Snapchat’s terms of use for being the fault in the image leak is not likely to win the company much admiration. The simple truth of the way that access to any online app service works is that there is always a control point.
For a service like Snapchat, that control point is its APIs. Third-party apps can only work and communicate with the Snapchat servers by way of an API. It’s the same thing with Twitter and its ecosystem of third-party apps. In order for apps to work with a service’s API, typically some form of access and authorization tokens are required. Those tokens need to be granted by the service and can also be revoked.
So, to take the argument a step further, if in fact a third-party service was in violation of the Snapchat terms of use, the company could have—and should have—been able to revoke or otherwise cancel access to its API.
That would, however, imply that, in fact, Snapchat was aware that the third-party app was in violation of its terms of use and that Snapchat has the ability to monitor third-party apps for abuse.
Snapchat does not have a very good record of securing its service or its users. At the end of 2013, 4.6 million Snapchat user names and phone number were leaked and posted to a public database. That attack was also linked to an abuse of Snapchat’s API.
The issue of API security is not reported on often, but it is obviously critically important. In this latest Snapchat incident, the lives of thousands of people are now being affected as their private pictures are posted publicly.
The Snapchat photo leakage attack follows the high-profile celebrity Apple iCloud photo attack in September. In that incident, attackers were somehow able to gain access to the Hollywood celebrities’ iCloud accounts through some form of phishing activity. In the latest Snapchat attack, it’s not cloud security, but the security and usage of APIs by a third-party app that are in question.
It is incumbent upon Snapchat to tighten up its security policies around third-party apps and the usage of its API. For end users, this incident underscores that it’s likely safer to stick with official apps and not third-party apps.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.