Slashdot Mirror
Snapchat Says Users Were Victimized By Their Use of Third-Party Apps
Lucas123 writes: Reports that the servers of photo messaging site Snapchat were hacked are being denied by the company, which is now is saying its users were instead victimized by their use of third-party apps to send and receive Snaps. Hackers on 4chan have said broke into the site and they're preparing to release 200,000 photos or videos in their own database that will be searchable by Snapchatter name. According to one report, the third-party Snapchat client app enabled access for years to the data that was supposed have been deleted. The hackers have said they have a 13GB photo library. For its part, Snapchat in a statement reiterated its Terms of Use Policy, that "expressly prohibits" third-party app use "because they compromise our users' security."
hahahahahahahaahahaa
now back to the cloud...
captcha: classic
So why didn't Snapchat take a proactive approach and ban the third parties? They really depended on the ToS for enforcement of security?
Will someone please stop this anonymous mystery hacker? he's causing havoc all over the place.
What app they think the photos were stolen from? And I say "the think" since they are not giving access to anyone, so I guess that client was mimicking the official client and thus could not be detected by them.
I want to subscribe to this. Where is the link? I don't have much going on this weekend.
What app they think the photos were stolen from? And I say "the think" since they are not giving access to anyone, so I guess that client was mimicking the official client and thus could not be detected by them.
Go onto Google Play and search for Snapchat. Many are openly advertising themselves as being able to save/leak photos.
So why didn't Snapchat take a proactive approach and ban the third parties? They really depended on the ToS for enforcement of security?
And how do you suggest that Snapchat verify that the software on the other side of the connection prove that it is the legitimate client rather than a 3rd party impersonating the legit client? Note that a legitimate user is intentionally running the 3rd party client and providing a correct username and password.
Since when is a thread on /b/ news? It's motto is literally
"The stories and information posted here are artistic works of fiction and falsehood.
Only a fool would take anything posted here as fact."
Seriously is this what passes for news today?
3 billion dollars from facebook now.
Snapchat's response was "they captured images by violating the TOS".
That's like a bank telling you it's not their fault if you lost money because the bank robber violated their posted TOS.
13GB? Seriously, that's not all that many pictures...
i would want to see, maybe, thirty....most people look better with more clothes on rather than less.
Boyfriend: "Wow, that's a great picture....but after the recent photo problem, are you sure you should be sending these kinds of pictures?"
Jennifer: "No, it's OK. I'm using this App called SnapChat and it deletes them automatically! They can't be saved or end up in the stupid cloud anymore."
... so far no one has said that people shouldn't be stupid enough to send nude pics and stuff.
Of course, our more important junk is up in the cloud, too.
It little behooves the best of us to comment on the rest of us.
try getting 3 billion dollars from facebook now.
Leaking personal information is facebook's business model, snapchat now looks more attractive to them.
Given the small file size of Snapchat pics, it should be about 600,000 pictures out of 30 million users, if I did the math right.
While I suppose it's possible that that the reference to 'users' in 'their' is a different subset, the phrasing makes it seem that somebody who sent a picture was victimized by their own use of a third party app, while in reality all signs are pointing to the recipient of the photo using said app.
The recipients hopefully feel doubly-awful not just for betraying their friend's trust (not saving the image implied by the use of snapchat - technical feasibility and analog loopholes aside) in the first place, but for playing a pivotal role in those images possibly becoming public.
While I'm certainly in favor of educating people that when you send stuff to others, you have lost all control over it, no matter what assurances you get, I'm also in favor of educating people not to be jerks (be that the recipients, or the hackers).
Most of snapchat's 25 y.o. users don't even know where to buy a postage stamp.
Online at Amazon. Of course the seller, USPS, only gets a 4/5 star rating.
What parent said. Online societal ethics still have a long way to go before they catch up with meatspace ones.
Any sufficiently advanced technology is indistinguishable from magic.
-- Arthur C. Clarke
...or, sadly, the other way around.
The 3rd party apps only even worked because Snapchat is hideously insecure and has been from day one. It stored the pictures unencrypted on the device and didn't even bother actually erasing them (just moved them to another folder!). It's since improved slightly, but it's a fundamentally insecure design and they're apparently being too disruptive and innovative to fix it.
Should these guys really release 200,000 pictures, they would owe the copyright holders up to $30bn dollars in stautory damages if convicted.
Back around the year 2000, ISPs used to offer free web hosting to their customers. Some ISPs had templates that you could fill in with text and uploaded images, to make it simple to create a web page.
If ISPs still offered that service, and if customers who don't know how to write a web page used the service, then private web sites would be more dispersed, and therefore less tempting to crack. (Also, the customers wouldn't have to give out personal information, besides the info that they already needed to give out for their Internet connection.)
This service should let the customers password-protect their web pages.
This could be a more private and secure service for customers who just want a simple "Hello, this is me" web site.
Please share how to remotely verify the other app on the other end of the internet connection. An app the remote user intentionally ran and provided valid credentials too.
digital signatures built into the application
No. A digital signature lets a computer/device verify the software running **locally**. The problem stated is how to verify the software running remotely on a different computer/device. The software running remotely can just tell the snapchat server whatever it is expecting to hear.
And how do you suggest that Snapchat verify that the software on the other side of the connection prove that it is the legitimate client rather than a 3rd party impersonating the legit client?
Sign the traffic with a private key like any other app does? There's a reason we don't have all kinds of bogus and impersonating apps for AMEX, Chase Bank, etc. their servers won't talk to clients without the correct key. Really, this isn't hard. If Snapchat's servers speak raw HTTP in the clear, it's their own fault third-party programs are out there.
You have things backwards. A client app can verify it is communicating with the real server when the server signs traffic with the private key and the client validates with the public key. However the problem we are discussing is something different, validating in the opposite direction. How can the server verify the remote client app? The same technique will not work because the client app can not have a private key. Any key embedded in a legit client can be copied to a 3rd party client. The 3rd party can sign the traffic with that key too.
If a 3rd party app sends a copy of an image to a 3rd party server it may very well do so when sending and receiving. Its premature to say that senders did not directly compromise their own data.
And since there are half a dozen ISPs in the united states that control the vast majority of users internet connections you're back where you started. Except now users are stuck with crap interfaces provided by companies that can't innovate such as comcast and verizon.
I saw some samples. There are too many cat videos, funny stuff people did, totally boring videos and penisses. While some guys may capture masturbating girls, the other stuff is nothing worth capturing and the intended audience is unlikely to install anything but the official client. I do not believe its a Snapsave leak.
and they added a hidden .impressum.html with the real name / address of the user. meh.
At least the evidence so far implicates recipients as playing a pivotal role, rather than senders.
Wrong. As I speculated, a 3rd party app that sends the images of recipients to a 3rd party website may very well also send images of senders to a 3rd party website.
"SnapSaved was a Web-based client built for Snapchat that allowed users to access “snaps” from a Web browser. However, the service, which according to DNS records ran on a server at the hosting company HostGator, apparently kept all images received or sent by its users without their knowledge."
http://arstechnica.com/securit...
And if one's ISP does not permit hosting on non-business accounts giving their customer(s) a slice-host to use as you say would be the next best thing; the power of the internet is its being distributed.