The Snappening: Security expert questions Snapchat's claim that it 'wasn't breached'

A cyber-security expert has called into question Snapchat’s claims that it wasn’t compromised nor could it be blamed for the reported leak of thousands of its users’ pictures.

Hackers have threatened to leak as many as 100,000 photos and videos once taken by everyday Snapchat users, in which to collate into a searchable database.

It is thought that a third-party client app had been amassing the media for several years and in a warning on the website 4chan, hackers said the dump will be released on 12 October – though there are also suspicions it could be a hoax.

Snapchat – a messaging service in which images self-destruct within seconds of them being sent – said that its servers “were never breached and were not the source of these leaks”, while laying responsibility for it solely on Snapchatters’ “use of third-party apps to send and receive Snaps – a practice that we expressly prohibit in our ToU”.

Mike Dager, the CEO for application security firm Arxan, told The Independent that the breach wouldn’t have been possible if Snapchat had adequate in-app protection.

“It’s clear that the security layers offered from the app stores are not enough to protect the critical policies residing in the apps themselves and to protect the end users from data compromise,” Mr Dager said.

“While Snapchat has gone on the record to say that neither the app nor their servers have been hacked, we scrutinise that claim.

“Since Snapchat does not provide an API for developers, the developers of the third-party apps must be reverse engineering either the Snapchat app or the network communication protocol. Once the third-party apps have emulated the Snapchat client, the apps gain access to the Snapchat user's private photos.

“As a result, the risk of a data breach is spread from Snapchat to the third-party app provider. Therefore, the risk mitigation must be initiated by mobile app developers themselves by deploying apps that have in-app defence and tamper-resistance attributes.”

The file dump, which 4chan users have called "The Snappening", could have further legal implications in that many of Snapchat’s users are teenagers and many of the compromising images could be of minors.

An anonymous photo trader told Business Insider that the third party client responsible was SnapSaved.com, a web client for the Snapchat app.

“In this case with the Snapchat leak, the third-party app seems to be playing an ‘under-the-cover’ role in accessing pictures and content from the servers of Snapchat and parlaying that over to their own servers that don’t have the same perimeter of security to protect users’ data,” Mr Dager added.

“Overall, mobile app developers need to step up their onus in their app protection capabilities before publishing to the app stores. Users need to be more cautious in granting access to their data instead of quickly accepting terms and assuming their data is only visible to that one app.”

The “Snappening” leak would be larger than that which it got its name from – the “Fappening” – where countless celebrities’ intimate and private photographs were hacked from their iCloud accounts and released.

Jeremy Linden, Senior Security Product Manager at mobile security firm Lookout, warned app users: “It's theoretically impossible to create secure self-destructing content and a determined recipient could grab whatever it is you're sending.”

He said that users should “check out the data collection terms of service for any application you're using and familiarise yourself with what's being collected.”

The Independent has contacted Snapchat for comment.