Thousands of Snapchat images that users thought were erased have now been publicly posted in an attack that is being publicly referred to as the “Snappening.”
Snapchat is a popular temporary photo-sharing app for mobile devices that offers users the promise of ephemeral image sharing of pictures that aren’t supposed to be stored. Yet, apparently, in a massive attack, those images were stored and have now been released.
Many of Snapchat’s users are teenagers, and there is a risk that some of the photos are indecent. For its part, Snapchat is claiming that its servers were not breached.
It is currently unclear which third-party app is the one to blame or if multiple apps are at fault.
For a service like Snapchat, that control point is its APIs. Third-party apps can only work and communicate with the Snapchat servers by way of an API. It’s the same thing with Twitter and its ecosystem of third-party apps. In order for apps to work with a service’s API, typically some form of access and authorization tokens are required. Those tokens need to be granted by the service and can also be revoked.
Snapchat does not have a very good record of securing its service or its users. At the end of 2013, 4.6 million Snapchat user names and phone number were leaked and posted to a public database. That attack was also linked to an abuse of Snapchat’s API.
The issue of API security is not reported on often, but it is obviously critically important. In this latest Snapchat incident, the lives of thousands of people are now being affected as their private pictures are posted publicly.
The Snapchat photo leakage attack follows the high-profile celebrity Apple iCloud photo attack in September. In that incident, attackers were somehow able to gain access to the Hollywood celebrities’ iCloud accounts through some form of phishing activity. In the latest Snapchat attack, it’s not cloud security, but the security and usage of APIs by a third-party app that are in question.
It is incumbent upon Snapchat to tighten up its security policies around third-party apps and the usage of its API. For end users, this incident underscores that it’s likely safer to stick with official apps and not third-party apps.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.