Last Friday, millions of Snapchat users were dismayed to find 200,000 of their sent pictures leaked on the Internet. The leak came from a third-party plugin that uses Snapchat’s unofficial API, Snapsaved.com, which is currently down at the time of writing. Snapchat quickly responded, saying their servers were not breached, and hackers exploited a security flaw in the servers of third-party apps which were in violation of their Terms of Service — they did not mention Snapsaved by name. Though the problem may not have been with Snapchat’s security measures specifically, many people are wondering whether Snapchat did enough to prevent unaffiliated apps from tapping into their resources. Snapchat’s denial of responsibility, while factually correct, is a sidestep of the overall issue, namely that it’s too easy for any developer to write an application that can access and save images sent and received on the Snapchat app.
Although as previously stated, Snapchat has no official API, it is easy for developers to access the service through users’ phones. There are many apps which allow users to save received pictures without alerting the sender, via root exploits on Android phones, for instance. Researchers have been pointing out the security flaws in Snapchat’s service for about as long as the service has been around. According to developer Alex Forbes-Reed, there’s nothing Snapchat can do currently to prevent anyone from accessing the API. What’s more, though snaps are encrypted, the encryption key is the same on every device, and thus it’s freely available on the Internet for anyone who wants it. In other words, while Snapchat may claim security, there’s really very little preventing small-time developers who don’t have proper security measures from suffering data breaches.
Ultimately, this may have served as yet another reminder not to trust the security claims of major corporations. Time and time again, we’ve seen that no matter how encrypted companies claim their data is, hackers always seem to find a weak point. In these past few months, we’ve had leaks of user data from iCloud, Gmail, Dropbox, and others. Hopefully by now, savvy Internet-users realize the true fragility of the information systems they use, and don’t trust them with sensitive information that they wouldn’t want stolen. If people truly want a service to send sensitive pictures to each other, there are apps like surespot for Android, which uses 128-bit end-to-end encryption, and allows users to delete sent pictures from the recipient’s phone. Of course, surespot certainly isn’t guaranteed to be immune to the same security issues that Snapchat suffered this week, if it grows in popularity. No service is.
You are exactly right. Today, there is no reasonable expectation of privacy, security, or copyright control in the domain of cyber.