Sophos Cloud Optix
Hundreds of thousands of supposedly self-destructing Snapchat snaps have been apparently jimmied out of the database for SnapSaved.com, a third-party website not affiliated with Snapchat that allows users to save unopened photos from Snapchat without the sender knowing the images have been saved.
From a message posted to the SnapSaved.com Facebook page (the website is currently down):
I would like to inform the public that snapsaved.com was hacked... We had a misconfiguration in our Apache server. SnapChat has not been hacked, and these images do not originate from their database.
As the Independent and other news outlets are reporting, messaging boards on the sludgy website 4chan have been filling up with tittering about the theft of the Snapchat images.
You remember Snapchat, right?
It’s that app that likes to say that images disappear – poof! – super fast. Which is a great idea, mind you, to keep its particularly young user base from sexting and living to rue the day.
Too bad it’s just an idea that doesn’t correspond to reality; the reality being that nothing stops a recipient from snapping a photo of the incoming flesh-o-gram.
Meanwhile, the supposedly disappearing images stay right on your phone (at least, they did when Paul Ducklin had a look last year).
There goes that “ephemeral” claim – poof!
And, of course, services such as SnapSaved.com which can grab them for the recipients. From another post on its Facebook page:
Do you want to save snaps without the sender knowing you saved it?
Start saving your snaps at www.Snapsaved.com
Remember to login while the snap is unopened on your smartphone, or else it will be gone forever.
Which brings in the claims of the Snappening: namely, that 200,000 saved Snapchats were released over the weekend
The cutesy name, “The Snappening”, presumably comes from The Fappening – also known as Celebgate, the serial release of celebrities’ private photos.
A blogger named Kenny Withers (NSFW) apparently first brought the Snappening to light and has maintained a running update of the 4Chan threads.
He says the images have been released as a torrent of 13GB of photos and videos. However Snapsaved.com claims only 500MB of images were stolen.
Snapsaved.com also says “0 personal information” was stolen in the breach.
In a statement on Thursday night, Snapchat said:
We can confirm that Snapchat’s servers were never breached and were not the source of these leaks.
Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.
However many photos there are, we’re talking about a doxing that would largely fall under the category of child pornography, given how young SnapChat’s user base is.
Parents, please, just play it safe, and don’t let your kids near these type of apps.
And for those of you over-age, remember that once you send a photo it’s out there forever. Just because it says it’ll “disappear”, doesn’t mean that it will.
Once again, if you don’t want your nudie pics being dumped – stop taking nudie pics. The silver lining here is that a whole generation is getting a wake up call to privacy and the perils of cloud services.
Except this has absolutely NOTHING to do with cloud services…
SnapSaved provided a 3rd party app for smartphones which was able to intercept incoming photos on the SnapChat app. SnapSaved’s 3rd party app would then upload the intercepted files to their own server which was then later hacked.
Cloud services have no relevance to this story or situation.
Not quite correct. al on-line storage facilities, whether private or public, can be categorised as “cloud” storage. SnapedSaved is such a service.
I would strongly encourage you NOT to recommend that parents keep their kids away from these types of apps. That is a recommendation that is likely only to create secrecy between a child and their parents. Rather, the better course is to recommend that parents remain aware of the dangers of believing any promise that apps may make — e.g. that images are rarely gone forever — and discuss that issue with their children.
Prohibitionism is unlikely to work with teenagers; they will simply find new unmonitored avenues. Open communication is far more helpful.
apparently kennywithers.com has been taken down…
Yes, of course the real answer is to avoid sending nudie pics of yourself all over internet in the first place.
But in terms of breach of trust, I don’t see snapchat as the villain here.
Person (A) is sending an image to a friend (B) and believes the image is on a time limited system.
(B) is actually deliberately routing the image via a server which stores the image and is deceiving (A) about this.
Sounds to me like the ‘friend’ (B) is the villain here.
There are other apps which do secure/time limited comms better than snapchat – proper crypto and memory wiping – but they make it clear that they can only give assurances their app/servers are secure … you have to decide for yourself if you can trust your ‘friend’
My problem with Snapchat is that their whole premise is false. If I can see it on my screen I can capture it. Snapchat knowingly offers an insidious illusion of safety.
Their users – many of them teens and tweens – cannot be expected to know this. If they are harbouring under the impression that Snapchat protects them it’s because Snapchat gave them that impression.
So Snapchat wasn’t standing idly by, it created the conditions – the giant, wilfully misled userbase – that allowed this to happen.
Into this void steps snapsaved.com which is equally odious. The site is not an honest attempt to point out a security hole nor a benevolent data carrier, it’s an exploitation tool.
And then yes, then you have the people using the service. People who’ve taken a concious decision to exploit others who have given them their trust.
Plenty of blame to go around in my opinion.
I see it slightly different.
If a snapchat type app/service is implemented correctly – and I know of at least one which appears to have robust crypto/device memory wiping etc – then it offers security in that it is not there for a third party at a later time.
You have to be able to trust the legitimate recipient of the message – if you don’t, then don’t send the message/image at all … by any system, including a piece of paper by hand.
When snapchat started up they seemed to offer more, but now they state …
“Please note: even though Snaps, Chats, and Stories are deleted from our servers after they expire, we cannot prevent recipient(s) from capturing and saving the message by taking a screenshot or using an image capture device.”
I don’t think they are breaching trust at this time – unlike people who have knowingly directed ‘confidential’ material via servers which allow them to deceive someone who trusted them.