CYBER NEWS

100,000+ Snapchat fotos vazaram na Web

Snapchat-stolen-picturesCache of about 13 gigabytes of pictures, some of them of nude and underage users, leaked out in the free web on Thursday night. Most of them were posted into the 4Chan imageboard website. The cache came from the photo messaging web-application Snapchat. Almost all images’ links were shut down by 4Chan already due to child pornography and trafficking concerns. According to 4Chan users there were more than 100,000 images posted in the cache though.

The Story
Atualizar (Outubro 12, 4:00 PM ET): It seems the files were moved from the original Snapchat server to a non-indexed one by an operator acting as Snapchat web-based viewerSnapSaved.com, posters on 4Chan say. In two comments posted in the 4Chan board and the notorious Pastebin storing and sharing texts site, the original poster of the files state that their content will not be revealed.
It seems that the images were not taken from Snapchat’s servers though, but from a third-party application servers which allowed users to save images and videos when sending them through Snapchat. In a statement to the press a Snapchat spokesman assured that there was no security breach in Snapchat’s servers and the leak did not came from them. The cache was probably taken from third-party applications which users are using for sending over “snaps”. This is prohibited in Snapchat’s Terms of Service for avoiding such breaches, the spokesman said.
According to a report by Business Insider the files were briefly stored on malware and web exploits server and that posters in 4Chans who have managed to download the files are already creating a database with them indexed with the Snapchat’s usernames associated with them.

Neglecting Information Security

It looks like the leak has been caused by a site called SnapSaved.com, a web-based client built for Snapchat for users to access their “snaps” from a web-browser. According to DNS records the service ran on a server hosted by a hosting company called HostGator but when trying to connect to the site the link leads to SnapSaved.com’s Facebook page only. This means their server must have been offline for months but it apparently kept all images sent or received by without the users’ knowledge.
Snapchat’s API code is not open for third-party developers but last year the company demanded from the developer Thomas Lackner to remove a library called Snaphax, giving developers access to Snapchat’s API services, from the GitHub web-based hosting service with the claim that he had violated the Digital Millennium Copyright Act. It seems that Lackner has reverse-engineered Snapchat’s API Adroid client code and he had not removed itit can still be found on GitHub. The code uses 128-bit AES encryption for images and videos which shared secret key is hard-coded for clients for their SSL web sessions using the API as well.

It is unlikely Snapchat to have made any significant changes to the API code or the encryption key since then though, as in doing so the access for users having older Snapchat versions would have been turned off. Tests on older Snapchat versions for iOS have proved that this has not happened so far.

None of the several applications using reverse-engineered API code to connect to Snapchat for iOS or Android, including two called SnapSave, use a cloud storage option or appear to be connected to SnapSave.com. SnapSave.com log in page, retrieved by their Facebook one, states that the web-site is being operated by a company called SnapSave Online Inc.

Contudo, as of yet, Snapchat have still not commented on their API security as well.

Avatar

Berta Bilbao

Berta é um pesquisador de malware dedicado, sonhando para um espaço cibernético mais seguro. Seu fascínio com a segurança de TI começou há alguns anos atrás, quando um malware bloqueado la fora de seu próprio computador.

mais Posts

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...