Oh, those darn third-party apps, their home-brewed APIs and their photo-leaking ways, Snapchat moaned on Wednesday morning, promising to cook up a public API to fix the situation… sooner or later.
It was referring to the entire ecosystem of third-party apps that’s sprung up around Snapchat’s ostensibly ephemeral but in actuality not-disappearing-at-all image app.
Developers of those third-party apps reverse-engineer the Snapchat API: the apps are neither built nor maintained by Snapchat itself.
Unfortunately, those third-party apps, which often have security as porous as Swiss cheese, often ask for login credentials for the first-party app in order to send or receive images (and often to snatch, and retain, those images before they go “poof!”) and to access account information.
As “Team Snapchat” points out, when we hand over our login credentials to a third-party app, that opens the door for a developer or a crook to get at your account and send information on your behalf.
Snapchat has been picked up by a lot of young people lured in by the appeal of supposedly disappearing photos, so when it says “send information on your behalf”, we can translate that into “potentially steal your sexting nudies”.
The cottage industry of apps and websites that have sprung up around Snapchat includes SnapSaved.com, which uses a reverse-engineered Snapchat API to save Snapchat images.
SnapSaved on Saturday admitted its Swiss cheese problem: namely, an attacker walked through a misconfigured Apache server and scooped up 500MB worth of images, hundreds of thousands of which were subsequently published online last week.
The reason SnapSaved had to reverse-engineer the Snapchat API – like other third-party apps hovering around Snapchat – is that Snapchat itself hasn’t yet provided a public API.
That’s a convenient position to maintain, given that it allows Snapchat to distance itself from security catastrophes like the SnapSaved incident.
None of that saved Snapchatters from having their photos stolen out from under their noses, though.
In fact, developers have for years pointed out that the unofficial API – an open secret that’s “widely circulated on the web”, The Verge reports – is a cinch to hack.
Furthermore, Snapchat’s been asleep at the wheel when it should have been working to close technical loopholes that allow unsecure third-party apps to flourish, they say.
Adam Caudill is one of those developers. Since 2012, the security researcher has been sounding alarms about how easy it is to reverse-engineer Snapchat’s API.
After this past weekend’s mass image spillage, he told Wired that he’s surprised it hasn’t happened sooner:
Your average developer can build something in a day’s time that interacts with Snapchat's API and saves everything that comes through it.
Soon after Caudill first gave Snapchat a head’s-up about how easy it would be to build a pirate app that stripped out Snapchat’s time-deletion features and that unauthorized third-party apps that could do the same were “unavoidable”, Snapchat reworked its API.
Whatever it did in that rebuild, it didn’t slow Caudill down much: in a matter of months, he showed that he could still twist things around as he’d done before.
So now Snapchat’s going to tackle the issue of building a public API that it can control.
And what’s the timeline on that?
Welllllll….. you know, these things are hard, Snapchat says:
Snapchat’s known for its lackadaisical attitude about security.
Back in January, an attack vector it had dismissed as “theoretical” was used to turn it upside down and shake out 4.6 million user names and phone numbers.
Let’s see, how did Snapchat respond, do you recall? Did it apologise? Fix the problem? Convince us that this time its fix really worked?
Oh, no, that’s right, I remember now: it praised itself, didn’t apologise, and said it was really, truly fixing the problem this time around.
In sum, Snapchat’s chastising of third-party apps is a shirking of the company’s own responsibility in creating a safe environment for its users to inhabit, but it’s also in keeping with the history of how it approaches security.
Yes, third-party apps are potentially dangerous. Let’s hope that Snapchat’s going to expedite work on the most airtight public API it can muster.Follow @NakedSecurity