Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Communications Privacy Social Networks Software

More Details On The 3rd-Party Apps That Led to Snapchat Leaks 101

Yesterday we posted a link to Computerworld's reports that (unnamed) third-party apps were responsible for a massive leak of Snapchat images from the meant-to-be-secure service. An anonymous reader writes with some more details: Ars Technica identifies the culprit as SnapSaved, which was created to allow Snapchat users to access their sent and received images from a browser but which also secretly saved those images on a SnapSaved server hosted by HostGator. Security researcher Adam Caudill warned Snapchat about the vulnerability of their API back in 2012, and although the company has reworked their code multiple times as advised by other security researchers, Caudill concludes that the real culprit is the concept behind Snapchat itself. "Without controlling the endpoint devices themselves, Snapchat can't ensure that its users' photos will truly be deleted. And by offering that deletion as its central selling point, it's lured users into a false sense of privacy."
This discussion has been archived. No new comments can be posted.

More Details On The 3rd-Party Apps That Led to Snapchat Leaks

Comments Filter:
  • Excuse me while.. (Score:4, Insightful)

    by Anonymous Coward on Saturday October 11, 2014 @07:04PM (#48121727)

    I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

    • A lot of the people falling for it were not here in 1999...
      • by Calydor ( 739835 )

        Which means it has been like this for ALL OF THEIR LIVES.

        At least old people have the excuse that it's relatively new to them.

      • Re: (Score:3, Insightful)

        by Lehk228 ( 705449 )
        if they are 15 and under they should not be taking nude photos at all!
        • Re: (Score:1, Insightful)

          by Anonymous Coward

          if they are 15 and under they should not be taking nude photos at all!

          Don't forget to lobby for more abstinence-only sex education!

        • by wvmarle ( 1070040 ) on Saturday October 11, 2014 @11:55PM (#48122561)

          Agreed with the "should not" part.

          However "should not" and "not doing" are two different things - especially for exactly kids that age. It's the age of self-discovery, of rebellion, doing things they know they shouldn't do, without yet realising the consequences.

          In my time (I was that age in the late 1980s), taking nude pics of oneself and sending it to school friends was just not an option. That's probably the only reason it didn't happen back then, or any time before the early 2000s - the time web cams became ubiquitous, and instant digital shots could be made from the privacy of one's bedroom, with little to no chance of parents finding out. Nowadays of course web cams have been replaced by mobile phones, making it even easier.

          It is more reasonable to understand that there are always kids that actually do this, trying to stop them is futile. Instead teaching general computer security as part of modern day computer lessons would be the way to go. One major part should be to have all people understand that if you can see a picture, you can save that picture, period. No matter what the app proclaims. It may be hard, you may not be able to pull it off yourself, but it can be done, and as a result those pics and other data may end up where you don't want them to.

        • by Anonymous Coward

          if they are 15 and under they should not be taking nude photos at all!

          If they are under 15 then there are a wide range of activities they should not be engaging in, but most likely are still going to try. Because that's how life works for kids. Thus we have the role of the Parents, who are supposed to be keeping an eye on things.
          So yes, I do feel a degree of sympathy for the kids because they are young and stupid about such things, and obviously have parents who either cannot, or will not, monitor their actions to prevent such behavior.

        • by allo ( 1728082 )

          Why not? Because nudes are bad?

          • Why not? Because nudes are bad?

            Well, the prison time for possession of some of them is bad...

            • by allo ( 1728082 )

              Which means, if you're over 18 (16?), its bad for you to possess them. But taking them ...

              btw: Are there any court cases about people having or distributing underage photos of themself? That seems to be the corner case for some of the more rigorous laws.

              • by Lehk228 ( 705449 )
                yes there have been convictions in state courts, I don't have citations right now. nude selfies are child pornography and are a crime to possess everywhere in the united states.
        • People do things they shouldn't do all the time and kids aren't known for being great decision makers. You might as well suggest that nobody under 15 should be allowed to go through puberty for all the good it'll do.

    • Wrong.

      How about if we do this:

      "I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."

      Go away.

      • by drnb ( 2434720 ) on Saturday October 11, 2014 @08:29PM (#48122005)

        "I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."

        Banks are regulated by the government. Bank deposits are insured by the government. When banks get robbed depositors do not lose money. If you want to refer to "noobish" days when depositors were vulnerable you have to go back long long before 1999.

      • Banknotes are pretty anonymous, if someone steals a banknote from me, that sucks as I lose some money, however if he shows it to someone else there's no additional harm to me.

        Now compare that to digital nude photos, especially the ones with the person's face in it.

        • how does a random 3rd party that you dont know seeing a picture causing "additional harm" to you??
          • As long as you can be sure that this third party doesn't know you, you're fine.

            But how can we be sure of that? Maybe this unknown third party uploads it with your name or other identifying information to some image site, Google finds and indexes it, and suddenly people that know you and that for fun search your name in Google, can find it. Same accounts for your future prospective employer, who receives lots of application letters, likes your resume, and a few Google queries later has your private parts in

            • well no, thats still not a random 3rd party seeing a photo of you. you have a bunch of qualifiers that need to be met before it would be causing harm to you.
              • The problem if the randomness of the third party is that you don't know who it is - for many random third parties it indeed won't matter, but not for all random third parties. You never know where the image ends up.

    • Re:Excuse me while.. (Score:4, Interesting)

      by TWX ( 665546 ) on Saturday October 11, 2014 @07:45PM (#48121873)

      I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      See, I can feel some mild sympathy, basically pity, for those that were stupid enough to think that something electronic and stored in a common format over a common communications medium was secure. That doesn't mean that don't assign at least some blame for their circumstances though.

      This has been a problem since well before 1999. Naked pictures were exchanged on BBSes and on Usenet since the inventions of the scanner and the digital camera. The only difference is that it's easier than ever to do that distribution now, and sharing requiring human interaction has been supplemented by software that seeks out and stores such content.

      Until the technology has actually matured there's no safe solution. Even computer professionals don't necessarily understand all aspects of all of the software that could have access to the content on a user's electronic devices; simple users literally have no chance.

      • "... for those that were stupid enough to think that something electronic and stored in a common format over a common communications medium was secure.

        Stupid enough? I hate to break it to you, but most if not all secure systems work in exactly the way you decry to be "stupid". Maybe you've heard of SSL?

      • by Jeremi ( 14640 )

        Until the technology has actually matured there's no safe solution.

        Even if SnapChat worked 100% as advertised, it wouldn't be a safe solution, since your recipient could always take a photo of the image using another camera or phone. It's the DRM problem all over again, except now the "publisher" is some teenager rather than the movie industry.

    • by Anonymous Coward

      Even if you were to "..control the endpoint device..." in the sense I read (locked down hardware, software), what's to prevent someome from simply taking a picture of the image being displayed using an independent camera?

      The fact of the matter is, once data is shared in the analog, there's plenty of independent technologies that can capture a rendition of the data and there will be for the forseeable future (quantum entanglement has come a long way but we're not sharing nudes using the principle, *yet*). T

      • by TWX ( 665546 )
        I could see someone designing a screen that can't be accurately captured by at least a digital camera, but anything that the human eye can see, an analog lens and film can also image. Screens that couldn't be imaged electronically would probably be restricted to the most sensitive of data where any concern for espionage would make it desirable to spend the money to make such a screen work, and where someone couldn't infiltrate with a film camera.

        In short, something of a pipe-dream.
    • by Kjella ( 173770 ) on Saturday October 11, 2014 @08:19PM (#48121979) Homepage

      and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      Teens who want to get laid. Like it or not, cell phones and social media has taken over a lot of the real-world interaction we used to have as teens. Mainly because I didn't have a cell phone until my late teens, much less a camera phone and nothing like social media. A lot of the flirting and teasing that used to happen in dark corners at parties is now happening through texting and sexting online. Not to mention the upkeep of an ongoing relationship, if you wanted to get more graphical than you'd say over a fixed phone line in the hallway you had to hook up in person. Today you're more expected to keep it up all the time, even if you're apart which means sending naughties on Snapchat and such. Yes, sometimes it backfires badly but people in love won't believe their love will stab them in the back. And while I'm pulling this statistic out of my ass, I think most personal photos most of the time aren't shared with anyone but the intended recipient and aren't abused. And I think that still holds true even though these 200k pics leaked.

    • by tlhIngan ( 30335 )

      I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      What, DRM doesn't work? *gasp*

      (Yes, it's a form of DRM).

      Of course, I wonder if iOS8 fixed the "bug" in iOS7 that prevented SnapChat from making a note that a screenshot was captured....

  • by Anonymous Coward

    But much more importantly. Link to photos?

    • Re:Nice article (Score:4, Informative)

      by CaptainDork ( 3678879 ) on Saturday October 11, 2014 @07:45PM (#48121875)

      Some of the photos were taken by minors. Kids often use poor judgement.

      Adults looking for those photos have no excuse.

      Assuming you're not a jerk looking to exploit children, then it's clear you want adult pornography.

      Try Google.

      • Re:Nice article (Score:4, Interesting)

        by sumdumass ( 711423 ) on Saturday October 11, 2014 @08:46PM (#48122053) Journal

        I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.

        I'm not saying it is ok to view them or anything, I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand. So if a child takes a photo of themselves for their own reasons, is anyone actual being exploited?

        Or is that a legal term that applied in all situations regardless of any inherent or lack of logical connection?

        • Re:Nice article (Score:5, Informative)

          by CaptainDork ( 3678879 ) on Saturday October 11, 2014 @09:28PM (#48122157)

          Good question: [findlaw.com]

          "Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receiver to prosecution for child pornography. If the picture makes its way around other social circles through online or direct sharing, anyone who received or distributed the photo could also find themselves open to charges."

        • I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.

          Not in my view.

          I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand.

          It's funny how Hollywood claims that downloading music and movies is destroying the entertainment industries, while the think-of-the-children crowd says downloading photos somehow "creates demand". I suspect both sides are just making shit up to bolster their particular agendas.

      • by allo ( 1728082 )

        why is a child exploited, if it sends images it made itself? The leak is not voluntary, but the photos are. So there is nobody exploited, even when the leak may lead to awkward situations. The whole "its child abuse" argument is invalid for selfies.

        • by fa2k ( 881632 )

          It's worse, they're promoting copyright violation!

        • Again, [findlaw.com]

          "Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receive

          • by allo ( 1728082 )

            I did not doubt it (in fact i did not even consider it, as i do not live in us legislation), but made a argument from the reason / moral point of view, not from the legal one.

            • I apologize for my American-centric view, but my world view is bounded by it.

              Moral points of view are, necessarily, outside the legal system and are within the scope of faith.

              For me, viewing nude pictures of children, whether the source is from immature minors or mature adults, is not so much a matter of ethics violation as it is viewing evidence of a crime.

              • by allo ( 1728082 )

                I am not sure, if this is a question of nationality, whats your point of view.

                What i DO support:
                - obey the law
                - if you do not like the law, form a group to change it.

                But further: "Have an Opinion!".
                And this does not need to match the law. When i say "with sexting there is no victim", i do not say that sexting is legal, but i it may mean, that i would support laws, which do not mark every picture of a nude child as illegal, disregarding the way they were created.
                I do obey the current law, but if the cause wo

    • Re:Nice article (Score:5, Insightful)

      by wiredlogic ( 135348 ) on Saturday October 11, 2014 @07:54PM (#48121901)

      A healthy percentage of those pictures are going to be of underage teens. They aren't going to be as readily distributed as the celeb leaks because of the real threat of jail time and a ruined life for anyone attempting it.

      • by Anonymous Coward

        Where are all the Lovejoy Law [slashdot.org] paternalists who normally go after tor and p2p services? Shouldn't they be going after Snapchat for the same reason [youtube.com]?

      • Comment removed based on user account deletion
        • by tepples ( 727027 )
          That'd be like buying your kid a Nintendo 3DS but not letting him or her buy games.
          • Comment removed based on user account deletion
            • by tepples ( 727027 )
              "Parents ought to forbid from having a paper route and ought to confiscate all birthday money received from other relatives." Do I understand you correctly? And on what criteria should the parent evaluate a particular application before the parent will allow it to be installed on a child's device?
        • by GNious ( 953874 )

          Last I looked (i.e. not recently), Android user-accounts require the user to be 18.
          At the same time, I've seen no non-enterprise solutions for locking down an Android phone.

  • Lets stop looking at the tech involved and look at the human aspect of the problem.
    From cheesy celebs and iCloud to the entire concept of nudies (or whatever) when what the NSA has been doing, collecting EVERYTHING, is common knowledge, and the "news" media is rife with hacking stories.

    It isn't the tech involved, it's the stupidity/ignorance of some humans.

    • I saw a bumper sticker that said you can't fix stupid. I think that is right because a lot of these people do not want to learn the details and scary parts of a lot of these things. It's like the TV, they want to push the button or rotate the knob and have it come on and be useful to them (entertainment). They do not want to be bothered with how a signal is transmitted or how the TV translates that to something they might want to watch- they just want it to do it's magic behind the scenes so they can enjoy

      • by Anonymous Coward

        I saw a bumper sticker that said you can't fix stupid.

        Sure, but you can fix ignorance. Snapchat strongly markets the feature that the pictures disappear (it's really the only thing they're banking on). Since the beginning, that was very misleading, almost to the point of being completely false. While looking at said picture, the user can take a screenshot, take a picture of their phone with another camera, or use a variety of apps to capture the image.

        IMO, it should be made more clear that it's similar to automating the act of deleting all pictures you receive

  • by fermion ( 181285 ) on Saturday October 11, 2014 @08:34PM (#48122023) Homepage Journal
    Collecting personal information on users is the status quo. All backends, be it google, apple, ms, collect information on users. It is how they make money and 'improve the product'. So instead of being in a position where everyone can agree that private information is private, we live in a world where we have to really work to understand what information is private, and what isn't. We see this with law enforcement and text messages. Most would say they are private, but law enforcement says they are public information. It is a small jump from text messages to photo sent to another person. If information collection were not the norm for everyone, then perhaps we could be upset that private information is being collected. But the web site provides a service, and of course it is going to take it's cut, in the forms of saving photos, for providing that service.

    This is the way the web works. Service in exchange for private information. If it were 2000 it might be surprising. But it is not. And most everyone who is using snapchat has grown up in a world where such is standard mode of operation.

  • Perhaps Evan Spiegel and Bobby Murphy can blame the lack of security on Reggie Brown. Too bad they weren't given an opportunity in their depositions [businessinsider.com]
  • by Anonymous Coward

    "Without controlling the endpoint devices themselves"

    This guy's right guys. Snapchat doesn't have control anyone's eyeballs yet and as a result you cannot consider this software secure.

  • If there is a god of truth and justice, the fappening is being followed by the snappining.
    / not a snapchat user
    // nor 4chan
    /// nor TPB, um, I plead the 5th here.
    //// stupid is as stupid does
  • It's true that without controlling the endpoints, Snapchat can't stop one particular attack vector: the people who control those devices saving images themselves. The usual "DRM" problem.

    But what seems to have happened here is that users installed an app which, unbeknownst to them, sent copies of the images to a third-party server. That threat model is possible to guard against, although it's arguably more an issue with Android than Snapchat that something like that easily happens without users noticing, be

    • Comment removed based on user account deletion
      • by Trepidity ( 597 )

        Android could perfectly well let you give an app local permissions without giving it call-out-to-the-network permissions. Snapsave shouldn't need to ever call out to external servers in the first place, if it does only what it advertises.

        Android doesn't do this because of their broken ad-based ecosystem, though: they don't want to draw your attention to apps that unnecessarily call out to the network, because the most common reason for doing so is to show ads.

  • by Anonymous Coward on Saturday October 11, 2014 @08:59PM (#48122097)

    "...was created to allow Snapchat users to access their sent and received images from a browser...

    "...but which also secretly saved those images on a SnapSaved server

    Uh, hold up there, genius Snapchat users. Perhaps this is oversimplifying a bit, but let me remind you how a server works .

    You see, images are uploaded to server storage in order to be served to your browser as you so deftly requested to access at a later time...you know, with a browser.

    What the hell do you mean "secretly" saved?!?

    I suppose the rest of the worlds servers magically save their images nowhere. And totally in secret so no browser could find it, right?

    And yet you're now shocked and appalled to find images all over your Snap Saved server.

    SMFH

    • by GTRacer ( 234395 )
      SnapSaved's server != SnapChat's server.

      The problem isn't SnapCHAT's servers, or the client-server model. It's that this app was allowing users to bypass SnapChat's supposed anti-copy protections WHILE ALSO making its own copies.
  • IDWISOTT (Score:4, Insightful)

    by pushing-robot ( 1037830 ) on Saturday October 11, 2014 @09:08PM (#48122121)

    Ars Technica identifies the culprit as SnapSaved, which...secretly saved [users'] images on a SnapSaved server

    In related news: Mysterious Twitter-related injuries traced to users of popular addon service TweetAndWeHitYouWithASpanner.com

    (and why in god's name does a service like SnapChat have an API?)

    • Comment removed based on user account deletion
      • I mistakenly thought the API was public; it would be nice if certain clueless news sites (and the author of TFS) would point out this is a reverse-engineered interface.

        It might as well be public, though, considering how long ago it was discovered and how many apps/services/libraries are using it. Snapchat is supposed to be in the business of privacy; if they won't give full effort to protecting their users they deserve this fiasco.

    • (and why in god's name does a service like SnapChat have an API?)

      If you find yourself asking why a service has a programming interface, you have found yourself on the wrong website.

  • by Hognoxious ( 631665 ) on Sunday October 12, 2014 @06:13AM (#48123135) Homepage Journal

    Ill-conceived idea turns out to have been badly implemented. Film at 11.

To thine own self be true. (If not that, at least make some money.)

Working...