Cache of about 13 gigabytes of pictures, some of them of nude and underage users, leaked out in the free web on Thursday night. Most of them were posted into the 4Chan imageboard website. The cache came from the photo messaging web-application Snapchat. Almost all images’ links were shut down by 4Chan already due to child pornography and trafficking concerns. According to 4Chan users there were more than 100,000 images posted in the cache though.
Update (October 12, 4:00 PM ET): It seems the files were moved from the original Snapchat server to a non-indexed one by an operator acting as Snapchat web-based viewer – SnapSaved.com, posters on 4Chan say. In two comments posted in the 4Chan board and the notorious Pastebin storing and sharing texts site, the original poster of the files state that their content will not be revealed.
It seems that the images were not taken from Snapchat’s servers though, but from a third-party application servers which allowed users to save images and videos when sending them through Snapchat. In a statement to the press a Snapchat spokesman assured that there was no security breach in Snapchat’s servers and the leak did not came from them. The cache was probably taken from third-party applications which users are using for sending over “snaps”. This is prohibited in Snapchat’s Terms of Service for avoiding such breaches, the spokesman said.
According to a report by Business Insider the files were briefly stored on malware and web exploits server and that posters in 4Chans who have managed to download the files are already creating a database with them indexed with the Snapchat’s usernames associated with them.
Neglecting Information Security
It looks like the leak has been caused by a site called SnapSaved.com, a web-based client built for Snapchat for users to access their “snaps” from a web-browser. According to DNS records the service ran on a server hosted by a hosting company called HostGator but when trying to connect to the site the link leads to SnapSaved.com’s Facebook page only. This means their server must have been offline for months but it apparently kept all images sent or received by without the users’ knowledge.
Snapchat’s API code is not open for third-party developers but last year the company demanded from the developer Thomas Lackner to remove a library called Snaphax, giving developers access to Snapchat’s API services, from the GitHub web-based hosting service with the claim that he had violated the Digital Millennium Copyright Act. It seems that Lackner has reverse-engineered Snapchat’s API Adroid client code and he had not removed it – it can still be found on GitHub. The code uses 128-bit AES encryption for images and videos which shared secret key is hard-coded for clients for their SSL web sessions using the API as well.
It is unlikely Snapchat to have made any significant changes to the API code or the encryption key since then though, as in doing so the access for users having older Snapchat versions would have been turned off. Tests on older Snapchat versions for iOS have proved that this has not happened so far.
None of the several applications using reverse-engineered API code to connect to Snapchat for iOS or Android, including two called SnapSave, use a cloud storage option or appear to be connected to SnapSave.com. SnapSave.com log in page, retrieved by their Facebook one, states that the web-site is being operated by a company called SnapSave Online Inc.
However, as of yet, Snapchat have still not commented on their API security as well.