back to article Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped

Tens of thousands of stolen private SnapChat photos and vids are being plastered across the internet for perverts to download and ogle, it's claimed. SnapChat says it isn't to blame. When word spread on 4chan's notorious /b/ board that someone had allegedly swiped as many as 200,000 SnapChat files from strangers, it was feared …

  1. Anonymous Coward
    WTF?

    A question

    SnapSaved ... used the software's API to extract stills and short vids...

    Given that Snapchat is supposed to ensure that pictures are deleted after viewing, why does it provide an API for them to be extracted by third party software?

    1. depicus

      Re: A question

      It seems the API was intended for use only by Snapchat although by the sound if it they were lax on security but it was not a public API.

      1. Mad Chaz

        Re: A question

        Another nail in the "security by obscurity" myth's coffin I guess.

        Probably did something stupid like use a hard coded key in the app anyone with a compiler can extract.

        But even then, anyone stupid enough to use an un-official site to save snapchat pictures is stupid enough to not have understood the point of snapchat, nevermind the fact that giving your password to a third party is dumb in the first place.

        The good book as something about this too.

        " A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."

        1. beast666

          Re: A question

          I think you mean decompiler.

          Couldn't be arsed reading the rest of your nonsense...

          1. TheProf

            Re: A question

            "Couldn't be arsed reading the rest of your nonsense..."

            Ooh! Have we had a bad day Dear?

        2. Androgynous Cupboard Silver badge

          Re: A question

          I think you misunderstand - the people saving the pictures are likely the ones who received them, not the clueless mugs who sent them. But yes, first rule of digital content is that if someone else can decrypt the file for viewing, then you have to assume they'll find a way to decrypt it for saving. Snapchat was always a con.

          1. Anonymous Coward
            Anonymous Coward

            Re: A question

            "Snapchat was always a con."

            You have to wonder if the crooks of Wall Street are still seeing Snapchat as a $10bn business?

            I suppose the answer is that the value of any company is simply what the dumbest investor will pay for it. With stupidity having no lower boundary, it doesn't matter how laughable and revenue free an idea is, so long as a service has non-paying users, it can still be packaged up as the next great thing and sold.

    2. h3

      Re: A question

      Do they do anything to stop Virtualbox just recording a video of the whole session ? (Forward usb for webcam or whatever to it).

      Or one of those game capture devices.

      Nothing they can really do about it.

    3. Anonymous Coward
      Anonymous Coward

      Re: A question

      "why does it provide an API for them to be extracted by third party software?"

      It doesn't, the API is for the SnapChat client to get it's only copy of the image/video, I presume the server then deletes it's copy. SnapSaved used the API by seeing how the official client used it, saved the file, and then provided continued access to it.

    4. Dan 55 Silver badge
      WTF?

      Re: A question

      Why aren't Snapchat using OOB verification to generate a credential based on the mobile phone (e.g. IMEI or phone number) which a third party will not be able to access even if people are stupid enough to put in their username and/or password.

      1. Martin-73 Silver badge

        Re: A question

        That would just be another layer of obscurity. If it works over wifi, which I presume it can, rather than cellular data, then dumping the content of the packets is trivial. Yes, it would be beyond a third party website but still claiming 'the picture disappears' is disingenuous.

        1. Dan 55 Silver badge

          Re: A question

          I'm not claiming the picture disappears, I'm saying that on first run an SMS should be used to pass a credential which is then used later for logging in. Attempts to log in using the API by the third party would fail as they wouldn't have it.

    5. Anonymous Coward
      Anonymous Coward

      Re: A question

      It is easy enough to explain that the design of snapchat exposes an API to other apps, but that misses the point : why did they not come up with a better design, one more appropriate to the stated aims of Snapchat?

      Failing that (and I can't believe they really couldn't come up with a way to close the hole), they could at least warn the user. But, the current text in the Play Store says simply :

      Please note: even though Snaps, Chats, and Stories are deleted from our servers after they expire, we cannot prevent recipient(s) from capturing and saving the message by taking a screenshot or using an image capture device.

      Note that there is no mention of the recipient(s) being able to capture the images internally.

      I think the text needs to be updated at least.

  2. Mark 85

    <rolls eyes>

    Lifted from a "dormant website"???? I'm thinking there's going to be bunch of surprised parents and teeny-boppers out there soon.

    1. Anonymous Coward
      Anonymous Coward

      Re: <rolls eyes>

      Grown up ladies! Your most intimate nude selfies WILL inevitably be shared across the web, so please put some effort into making sure the lighting and framing are right, and the pose shows you off to your best. Thanking you in advance, AC.

      Younger ladies! Just don't do it, please.

      Blokes! Same as with the younger ladies.

  3. Vector
    Devil

    Proving once again...

    ...the internet does not know what impermanence is.

  4. Anonymous Coward
    Trollface

    why not, its not like they'd notice

    "My article was not intended to 'shit' on /b/. I actually really love those guys," Withers insisted in a Reddit thread"

    Hell, wouldn't that make /b/ cleaner?

    1. Anonymous Coward
      Anonymous Coward

      Re: why not, its not like they'd notice

      Pissing in an ocean of piss, etc.

  5. John H Woods Silver badge

    Stupidity.

    If you can see it you can record it - even by pointing another flaming camera at the screen. Beyond that there's ... I dunno, VMs, Bluestack, Screenshots ... the list is endless.

    The idea that pictures can ever 'cease to exist' is surely a massive misrepresentation of the truth.

    1. Ian 55

      "The idea that pictures can ever 'cease to exist' is .. massive misrepresentation of the truth."

      Says someone who's never had a disc drive die when it's not been properly backed up!

  6. Anonymous Coward
    Anonymous Coward

    If it can be seen once....

    ... It can be recorded and seen again.

    Snapshot premise is a lie.

  7. Mephistro
    Devil

    Divide by Zero

    And you'll get the number of years until the general public gets a clue that everything you post online has a good chance of being made public and bite you in the ass years after the fact, no matter what some corporate mountebank tells you.

    It's also about the same time it will take the governments to stop private companies from scamming the public non stop.*

    Of special relevance is the fact that the people whose privacy has been compromised weren't the ones who used a dodgy app/gave their passwords to a third party/had their device haxxored/did some terribly stupid thing, but the ones who sent their snapshits to them.

    I'm always trying to explain this to my clients, family and friends, but 90% listen attentively to my short, informative and not boring at all sermons (;-), they nod, and make encouraging noises and thank me profusely. One month later they're opening executable files that a friend sent them over email, giving their email addresses and passwords to any page that asks nicely, sending texts and images they wouldn't like to see printed in their obituaries, visiting webpages that require that you disable some of your security settings to have the privilege to see some cheap porn, and in general, doing really really stupid things.

    Mark my words: Internet will be the end of Mankind!**

    Note*: And I don't mean sending some spammer or scammer to the slammer (he!) twice a year so the public sees said governments as 'doing something about the problem'. I mean, as an example, preventing the telcos from profiting from scams or requiring a copy of a contract signed physically by the customer before allowing him/her to be charged for 'premium services' ~='scams'.

    Note**: hopefully "...as we know it." ;-)

    1. Ian 55

      "requiring a copy of a contract signed physically by the customer"

      Yes, because that really worked with the endowment mortgage scam, and the PPI scam, and the card protection scam, and...

    2. Jes.e

      Re: Divide by Zero

      Only *ONE* thumbs up?!?

      Very nice rant! And succinct too.

      Can I clip it to send to my friends and relatives?

      I have exactly the same problem trying to explain to folks what they are doing wrong..

      ..starting with why you don't use the same password everywhere!

      <facepalm>

      There was a website called DigiCrime which demonstrated in a humorous way the problems out on the web.

      It needs to be seriously updated..

    3. Anonymous Coward
      Anonymous Coward

      Re: Divide by Zero

      (Divide by Zero) + 1

      My non-techie friends look at me as I am from yesterday and robbing my company. How come I ignore their friendship requests of snappy-tweety-F**.. groups.

  8. Rich 2 Silver badge

    Should never have cone to this

    I blame Google and (I assume) Apple for ever allowing snapchat in the first place. It was always blindingly obvious what it was going to be used for and the resulting car crash was inevitable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Should never have cone to this

      Ah, I blame Google, Apple, MS for allowing functioning of their mobile OSs. It is blindingly obvious their App Stores are full of crooks selling torches requiring phone-book access while they have specifically written dev guidelines against this.

  9. Anonymous Coward
    Anonymous Coward

    Much ado about nothing

    OK, so someone has been naughty and there's potentially millions of personal pics floating about somewhere but on a non-technical level why all the fuss? It makes for a good DM headline but what are the chances of you being recognised by someone you know? Unless your content was absolutely outstanding it will remain to all intents and purposes anonymous. If it's so outstanding as to reach the top of the pile then maybe you should consider a career change. Personally I wouldn't take the effort to scan a pile of snapchat pics to find something interesting when there are plenty of sites with quality stuff already categorised for free

    Paedophile angle? I suppose we are talking mainly about the 13-15 year group which while legally are underage it's not the end of the world. Not my cup of tea yet don't class it in the same league as 5 year olds and I doubt many of them are sending selfies to their friends. So more than likely another DM style mountain out of a mole hill.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like