More Details On The 3rd-Party Apps That Led to Snapchat Leaks 101
Yesterday we posted a link to Computerworld's reports that (unnamed) third-party apps were responsible for a massive leak of Snapchat images from the meant-to-be-secure service. An anonymous reader writes with some more details: Ars Technica identifies the culprit as SnapSaved, which was created to allow Snapchat users to access their sent and received images from a browser but which also secretly saved those images on a SnapSaved server hosted by HostGator. Security researcher Adam Caudill warned Snapchat about the vulnerability of their API back in 2012, and although the company has reworked their code multiple times as advised by other security researchers, Caudill concludes that the real culprit is the concept behind Snapchat itself. "Without controlling the endpoint devices themselves, Snapchat can't ensure that its users' photos will truly be deleted. And by offering that deletion as its central selling point, it's lured users into a false sense of privacy."
Excuse me while.. (Score:4, Insightful)
I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.
Re: (Score:3)
Re: (Score:3)
Which means it has been like this for ALL OF THEIR LIVES.
At least old people have the excuse that it's relatively new to them.
Re: (Score:3, Insightful)
Re: (Score:1, Insightful)
if they are 15 and under they should not be taking nude photos at all!
Don't forget to lobby for more abstinence-only sex education!
Re:Excuse me while.. (Score:5, Insightful)
Agreed with the "should not" part.
However "should not" and "not doing" are two different things - especially for exactly kids that age. It's the age of self-discovery, of rebellion, doing things they know they shouldn't do, without yet realising the consequences.
In my time (I was that age in the late 1980s), taking nude pics of oneself and sending it to school friends was just not an option. That's probably the only reason it didn't happen back then, or any time before the early 2000s - the time web cams became ubiquitous, and instant digital shots could be made from the privacy of one's bedroom, with little to no chance of parents finding out. Nowadays of course web cams have been replaced by mobile phones, making it even easier.
It is more reasonable to understand that there are always kids that actually do this, trying to stop them is futile. Instead teaching general computer security as part of modern day computer lessons would be the way to go. One major part should be to have all people understand that if you can see a picture, you can save that picture, period. No matter what the app proclaims. It may be hard, you may not be able to pull it off yourself, but it can be done, and as a result those pics and other data may end up where you don't want them to.
Re: (Score:2)
Yeah, it may be true that most people are borderline mentally retarded, but not everyone 15 year old is an idiot.
And those are not the ones using snapchat for nude selfies...
Re: (Score:1)
if they are 15 and under they should not be taking nude photos at all!
If they are under 15 then there are a wide range of activities they should not be engaging in, but most likely are still going to try. Because that's how life works for kids. Thus we have the role of the Parents, who are supposed to be keeping an eye on things.
So yes, I do feel a degree of sympathy for the kids because they are young and stupid about such things, and obviously have parents who either cannot, or will not, monitor their actions to prevent such behavior.
Re: (Score:2)
Why not? Because nudes are bad?
Re: (Score:2)
I guess, there are many prude people, and you can show some respect. But as long as its kept private (its not public, when two persons send nudes to each other), it should not interest anyone but the two persons.
Re: (Score:2)
Why not? Because nudes are bad?
Well, the prison time for possession of some of them is bad...
Re: (Score:2)
Which means, if you're over 18 (16?), its bad for you to possess them. But taking them ...
btw: Are there any court cases about people having or distributing underage photos of themself? That seems to be the corner case for some of the more rigorous laws.
Re: (Score:2)
Re: (Score:2)
People do things they shouldn't do all the time and kids aren't known for being great decision makers. You might as well suggest that nobody under 15 should be allowed to go through puberty for all the good it'll do.
Re: (Score:1)
Wrong.
How about if we do this:
"I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."
Go away.
Re:Excuse me while.. (Score:5, Insightful)
"I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."
Banks are regulated by the government. Bank deposits are insured by the government. When banks get robbed depositors do not lose money. If you want to refer to "noobish" days when depositors were vulnerable you have to go back long long before 1999.
Re: (Score:3)
Banknotes are pretty anonymous, if someone steals a banknote from me, that sucks as I lose some money, however if he shows it to someone else there's no additional harm to me.
Now compare that to digital nude photos, especially the ones with the person's face in it.
Re: (Score:2)
Re: (Score:2)
As long as you can be sure that this third party doesn't know you, you're fine.
But how can we be sure of that? Maybe this unknown third party uploads it with your name or other identifying information to some image site, Google finds and indexes it, and suddenly people that know you and that for fun search your name in Google, can find it. Same accounts for your future prospective employer, who receives lots of application letters, likes your resume, and a few Google queries later has your private parts in
Re: (Score:2)
Re: (Score:2)
The problem if the randomness of the third party is that you don't know who it is - for many random third parties it indeed won't matter, but not for all random third parties. You never know where the image ends up.
Re:Excuse me while.. (Score:4, Interesting)
See, I can feel some mild sympathy, basically pity, for those that were stupid enough to think that something electronic and stored in a common format over a common communications medium was secure. That doesn't mean that don't assign at least some blame for their circumstances though.
This has been a problem since well before 1999. Naked pictures were exchanged on BBSes and on Usenet since the inventions of the scanner and the digital camera. The only difference is that it's easier than ever to do that distribution now, and sharing requiring human interaction has been supplemented by software that seeks out and stores such content.
Until the technology has actually matured there's no safe solution. Even computer professionals don't necessarily understand all aspects of all of the software that could have access to the content on a user's electronic devices; simple users literally have no chance.
Re: (Score:1)
MM's, the good old days!
Re: (Score:2)
Stupid enough? I hate to break it to you, but most if not all secure systems work in exactly the way you decry to be "stupid". Maybe you've heard of SSL?
Re: (Score:2)
Until the technology has actually matured there's no safe solution.
Even if SnapChat worked 100% as advertised, it wouldn't be a safe solution, since your recipient could always take a photo of the image using another camera or phone. It's the DRM problem all over again, except now the "publisher" is some teenager rather than the movie industry.
Re: Excuse me while.. (Score:2, Insightful)
Even if you were to "..control the endpoint device..." in the sense I read (locked down hardware, software), what's to prevent someome from simply taking a picture of the image being displayed using an independent camera?
The fact of the matter is, once data is shared in the analog, there's plenty of independent technologies that can capture a rendition of the data and there will be for the forseeable future (quantum entanglement has come a long way but we're not sharing nudes using the principle, *yet*). T
Re: (Score:2)
In short, something of a pipe-dream.
Re:Excuse me while.. (Score:5, Insightful)
and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.
Teens who want to get laid. Like it or not, cell phones and social media has taken over a lot of the real-world interaction we used to have as teens. Mainly because I didn't have a cell phone until my late teens, much less a camera phone and nothing like social media. A lot of the flirting and teasing that used to happen in dark corners at parties is now happening through texting and sexting online. Not to mention the upkeep of an ongoing relationship, if you wanted to get more graphical than you'd say over a fixed phone line in the hallway you had to hook up in person. Today you're more expected to keep it up all the time, even if you're apart which means sending naughties on Snapchat and such. Yes, sometimes it backfires badly but people in love won't believe their love will stab them in the back. And while I'm pulling this statistic out of my ass, I think most personal photos most of the time aren't shared with anyone but the intended recipient and aren't abused. And I think that still holds true even though these 200k pics leaked.
Re: (Score:2)
In turn, helicopter parenting is made so much easier thanks to mobile phones. After all, now there's the option to call your kids every 10 mins, no matter where they are.
Re: (Score:1)
In turn, helicopter parenting is made so much easier thanks to mobile phones. After all, now there's the option to call your kids every 10 mins, no matter where they are.
Yes and no. A tech-savvy 'helicopter parent' could install a variety of computer and network based monitoring and logging equipment to hover over every keystroke made by their child. This is not nearly so easily done with a mobile device. Yes, there are some monitoring solutions but they have both technical limitations and drawbacks in terms of social concerns related to how much you really want to train your kids to accept omnipresent surveillance.
Frankly speaking, we need to make an effort to get basic ed
Re: (Score:2)
Parents could install keyloggers and such but then the kid can wipe the OS clean.
On the other hand with a mobile phone (even a dumbphone that does not do Java) the parent can sign up to a service and get location data, which isn't escaped easily except by switching the phone off and maybe the child having a second, "undeclared" phone.
Re: Excuse me while.. (Score:1)
Re: (Score:2)
What, DRM doesn't work? *gasp*
(Yes, it's a form of DRM).
Of course, I wonder if iOS8 fixed the "bug" in iOS7 that prevented SnapChat from making a note that a screenshot was captured....
Nice article (Score:1)
But much more importantly. Link to photos?
Re:Nice article (Score:4, Informative)
Some of the photos were taken by minors. Kids often use poor judgement.
Adults looking for those photos have no excuse.
Assuming you're not a jerk looking to exploit children, then it's clear you want adult pornography.
Try Google.
Re:Nice article (Score:4, Interesting)
I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.
I'm not saying it is ok to view them or anything, I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand. So if a child takes a photo of themselves for their own reasons, is anyone actual being exploited?
Or is that a legal term that applied in all situations regardless of any inherent or lack of logical connection?
Re:Nice article (Score:5, Informative)
Good question: [findlaw.com]
"Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receiver to prosecution for child pornography. If the picture makes its way around other social circles through online or direct sharing, anyone who received or distributed the photo could also find themselves open to charges."
Re: (Score:3)
I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.
Not in my view.
I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand.
It's funny how Hollywood claims that downloading music and movies is destroying the entertainment industries, while the think-of-the-children crowd says downloading photos somehow "creates demand". I suspect both sides are just making shit up to bolster their particular agendas.
Re: (Score:2)
why is a child exploited, if it sends images it made itself? The leak is not voluntary, but the photos are. So there is nobody exploited, even when the leak may lead to awkward situations. The whole "its child abuse" argument is invalid for selfies.
Re: (Score:2)
It's worse, they're promoting copyright violation!
Re: (Score:2)
Indeed!
Re: (Score:2)
Again, [findlaw.com]
"Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receive
Re: (Score:2)
I did not doubt it (in fact i did not even consider it, as i do not live in us legislation), but made a argument from the reason / moral point of view, not from the legal one.
Re: (Score:2)
I apologize for my American-centric view, but my world view is bounded by it.
Moral points of view are, necessarily, outside the legal system and are within the scope of faith.
For me, viewing nude pictures of children, whether the source is from immature minors or mature adults, is not so much a matter of ethics violation as it is viewing evidence of a crime.
Re: (Score:2)
I am not sure, if this is a question of nationality, whats your point of view.
What i DO support:
- obey the law
- if you do not like the law, form a group to change it.
But further: "Have an Opinion!".
And this does not need to match the law. When i say "with sexting there is no victim", i do not say that sexting is legal, but i it may mean, that i would support laws, which do not mark every picture of a nude child as illegal, disregarding the way they were created.
I do obey the current law, but if the cause wo
Re:Nice article (Score:5, Insightful)
A healthy percentage of those pictures are going to be of underage teens. They aren't going to be as readily distributed as the celeb leaks because of the real threat of jail time and a ruined life for anyone attempting it.
So wait-- where's the outrage? (Score:3, Insightful)
Where are all the Lovejoy Law [slashdot.org] paternalists who normally go after tor and p2p services? Shouldn't they be going after Snapchat for the same reason [youtube.com]?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Last I looked (i.e. not recently), Android user-accounts require the user to be 18.
At the same time, I've seen no non-enterprise solutions for locking down an Android phone.
Re: (Score:2)
HAVE they learned any lessons? Seems to me the ones with the problem are the users. SnapChat will likely still be there after this blows over.
Tired of it (Score:1)
Lets stop looking at the tech involved and look at the human aspect of the problem.
From cheesy celebs and iCloud to the entire concept of nudies (or whatever) when what the NSA has been doing, collecting EVERYTHING, is common knowledge, and the "news" media is rife with hacking stories.
It isn't the tech involved, it's the stupidity/ignorance of some humans.
Re: (Score:2)
I saw a bumper sticker that said you can't fix stupid. I think that is right because a lot of these people do not want to learn the details and scary parts of a lot of these things. It's like the TV, they want to push the button or rotate the knob and have it come on and be useful to them (entertainment). They do not want to be bothered with how a signal is transmitted or how the TV translates that to something they might want to watch- they just want it to do it's magic behind the scenes so they can enjoy
Re: (Score:1)
I saw a bumper sticker that said you can't fix stupid.
Sure, but you can fix ignorance. Snapchat strongly markets the feature that the pictures disappear (it's really the only thing they're banking on). Since the beginning, that was very misleading, almost to the point of being completely false. While looking at said picture, the user can take a screenshot, take a picture of their phone with another camera, or use a variety of apps to capture the image.
IMO, it should be made more clear that it's similar to automating the act of deleting all pictures you receive
The rules are the problem (Score:3)
This is the way the web works. Service in exchange for private information. If it were 2000 it might be surprising. But it is not. And most everyone who is using snapchat has grown up in a world where such is standard mode of operation.
Who's responsible for the lack of security? (Score:2)
Eyeball Security (Score:1)
"Without controlling the endpoint devices themselves"
This guy's right guys. Snapchat doesn't have control anyone's eyeballs yet and as a result you cannot consider this software secure.
Please call this "the snappening" (Score:2)
/ not a snapchat user
Re: (Score:3)
Why not? Looking at them is going to hurt you a hell of a lot more than it hurts me.
Re: (Score:2)
half-true, half-not-true (Score:2)
It's true that without controlling the endpoints, Snapchat can't stop one particular attack vector: the people who control those devices saving images themselves. The usual "DRM" problem.
But what seems to have happened here is that users installed an app which, unbeknownst to them, sent copies of the images to a third-party server. That threat model is possible to guard against, although it's arguably more an issue with Android than Snapchat that something like that easily happens without users noticing, be
Re: (Score:2)
Re: (Score:2)
Android could perfectly well let you give an app local permissions without giving it call-out-to-the-network permissions. Snapsave shouldn't need to ever call out to external servers in the first place, if it does only what it advertises.
Android doesn't do this because of their broken ad-based ecosystem, though: they don't want to draw your attention to apps that unnecessarily call out to the network, because the most common reason for doing so is to show ads.
Re: (Score:2)
Web Server 101 (Score:3)
"...was created to allow Snapchat users to access their sent and received images from a browser...
"...but which also secretly saved those images on a SnapSaved server
Uh, hold up there, genius Snapchat users. Perhaps this is oversimplifying a bit, but let me remind you how a server works .
You see, images are uploaded to server storage in order to be served to your browser as you so deftly requested to access at a later time...you know, with a browser.
What the hell do you mean "secretly" saved?!?
I suppose the rest of the worlds servers magically save their images nowhere. And totally in secret so no browser could find it, right?
And yet you're now shocked and appalled to find images all over your Snap Saved server.
SMFH
Re: (Score:2)
The problem isn't SnapCHAT's servers, or the client-server model. It's that this app was allowing users to bypass SnapChat's supposed anti-copy protections WHILE ALSO making its own copies.
IDWISOTT (Score:4, Insightful)
Ars Technica identifies the culprit as SnapSaved, which...secretly saved [users'] images on a SnapSaved server
In related news: Mysterious Twitter-related injuries traced to users of popular addon service TweetAndWeHitYouWithASpanner.com
(and why in god's name does a service like SnapChat have an API?)
Re: (Score:2)
Re: (Score:2)
I mistakenly thought the API was public; it would be nice if certain clueless news sites (and the author of TFS) would point out this is a reverse-engineered interface.
It might as well be public, though, considering how long ago it was discovered and how many apps/services/libraries are using it. Snapchat is supposed to be in the business of privacy; if they won't give full effort to protecting their users they deserve this fiasco.
Re: (Score:2)
(and why in god's name does a service like SnapChat have an API?)
If you find yourself asking why a service has a programming interface, you have found yourself on the wrong website.
film at 11 (Score:3)
Ill-conceived idea turns out to have been badly implemented. Film at 11.