Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Details On The 3rd-Party Apps That Led to Snapchat Leaks

Posted by timothy on from the you-didn't-really-think-they-were-secure-did-you dept.

Yesterday we posted a link to Computerworld's reports that (unnamed) third-party apps were responsible for a massive leak of Snapchat images from the meant-to-be-secure service. An anonymous reader writes with some more details: Ars Technica identifies the culprit as SnapSaved, which was created to allow Snapchat users to access their sent and received images from a browser but which also secretly saved those images on a SnapSaved server hosted by HostGator. Security researcher Adam Caudill warned Snapchat about the vulnerability of their API back in 2012, and although the company has reworked their code multiple times as advised by other security researchers, Caudill concludes that the real culprit is the concept behind Snapchat itself. "Without controlling the endpoint devices themselves, Snapchat can't ensure that its users' photos will truly be deleted. And by offering that deletion as its central selling point, it's lured users into a false sense of privacy."

101 comments

  1. Excuse me while.. by Anonymous Coward · · Score: 4, Insightful

    I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

    1. Re:Excuse me while.. by houstonbofh · · Score: 2

      A lot of the people falling for it were not here in 1999...

    2. Re:Excuse me while.. by Calydor · · Score: 2

      Which means it has been like this for ALL OF THEIR LIVES.

      At least old people have the excuse that it's relatively new to them.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:Excuse me while.. by CaptainDork · · Score: 0

      Wrong.

      How about if we do this:

      "I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."

      Go away.

      --
      It little behooves the best of us to comment on the rest of us.
    4. Re:Excuse me while.. by Lehk228 · · Score: 3, Insightful

      if they are 15 and under they should not be taking nude photos at all!

      --
      Snowden and Manning are heroes.
    5. Re:Excuse me while.. by TWX · · Score: 3, Interesting

      I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      See, I can feel some mild sympathy, basically pity, for those that were stupid enough to think that something electronic and stored in a common format over a common communications medium was secure. That doesn't mean that don't assign at least some blame for their circumstances though.

      This has been a problem since well before 1999. Naked pictures were exchanged on BBSes and on Usenet since the inventions of the scanner and the digital camera. The only difference is that it's easier than ever to do that distribution now, and sharing requiring human interaction has been supplemented by software that seeks out and stores such content.

      Until the technology has actually matured there's no safe solution. Even computer professionals don't necessarily understand all aspects of all of the software that could have access to the content on a user's electronic devices; simple users literally have no chance.

      --
      Do not look into laser with remaining eye.
    6. Re: Excuse me while.. by Anonymous Coward · · Score: 2, Insightful

      Even if you were to "..control the endpoint device..." in the sense I read (locked down hardware, software), what's to prevent someome from simply taking a picture of the image being displayed using an independent camera?

      The fact of the matter is, once data is shared in the analog, there's plenty of independent technologies that can capture a rendition of the data and there will be for the forseeable future (quantum entanglement has come a long way but we're not sharing nudes using the principle, *yet*). They may no be perfect and may be lossy, but they're good enough to be damaging in this context.

    7. Re: Excuse me while.. by TWX · · Score: 1

      I could see someone designing a screen that can't be accurately captured by at least a digital camera, but anything that the human eye can see, an analog lens and film can also image. Screens that couldn't be imaged electronically would probably be restricted to the most sensitive of data where any concern for espionage would make it desirable to spend the money to make such a screen work, and where someone couldn't infiltrate with a film camera.

      In short, something of a pipe-dream.

      --
      Do not look into laser with remaining eye.
    8. Re: Excuse me while.. by Anonymous Coward · · Score: 0

      Easier now? I don't know. I remember signing on AOL back in the day and hearing, "you have mail". Nothing like getting your pr0n mass mailed to you.

    9. Re:Excuse me while.. by Kjella · · Score: 4, Insightful

      and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      Teens who want to get laid. Like it or not, cell phones and social media has taken over a lot of the real-world interaction we used to have as teens. Mainly because I didn't have a cell phone until my late teens, much less a camera phone and nothing like social media. A lot of the flirting and teasing that used to happen in dark corners at parties is now happening through texting and sexting online. Not to mention the upkeep of an ongoing relationship, if you wanted to get more graphical than you'd say over a fixed phone line in the hallway you had to hook up in person. Today you're more expected to keep it up all the time, even if you're apart which means sending naughties on Snapchat and such. Yes, sometimes it backfires badly but people in love won't believe their love will stab them in the back. And while I'm pulling this statistic out of my ass, I think most personal photos most of the time aren't shared with anyone but the intended recipient and aren't abused. And I think that still holds true even though these 200k pics leaked.

      --
      Live today, because you never know what tomorrow brings
    10. Re:Excuse me while.. by drnb · · Score: 4, Insightful

      "I don't feel sorry for those who thought banks were seriously secure, and two [where's "one?"], who the hell sends dollars to banks and actually thinks other people won't steal them? 1999 called and it wants it's noobs back."

      Banks are regulated by the government. Bank deposits are insured by the government. When banks get robbed depositors do not lose money. If you want to refer to "noobish" days when depositors were vulnerable you have to go back long long before 1999.

    11. Re: Excuse me while.. by ShaunC · · Score: 1

      MM's, the good old days!

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    12. Re:Excuse me while.. by Anonymous Coward · · Score: 1, Insightful

      if they are 15 and under they should not be taking nude photos at all!

      Don't forget to lobby for more abstinence-only sex education!

    13. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Good luck with that.

      When your security requires average humans to make well-thought out security decisions (e.g. never reusing passwords), there's already something wrong. When you're relying on under-15 year olds to make good decisions (in this case, not taking nude photos), you should just give up.

    14. Re: Excuse me while.. by Anonymous Coward · · Score: 0

      Even if you were to "..control the endpoint device..." in the sense I read (locked down hardware, software), what's to prevent someome from simply taking a picture of the image being displayed using an independent camera?

      The primary reason is that most people have one phone and one camera and they're in the same device. ;-)

      But, seriously, you can't close the analog hole, and even that seems to remain merely a proof of concept because DRM tends to have plenty of digital holes that are easier.

    15. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Going further, there's a cause for why more of this flirting is happening remotely instead of in-person: helicopter parents. Teens spend a lot less time in the physical presence of their friends than they did a few decades ago.

      This and other interesting analysis of how young people use social media can be found in danah boyd's It's Complicated (free ebook at that link).

    16. Re:Excuse me while.. by wvmarle · · Score: 4, Insightful

      Agreed with the "should not" part.

      However "should not" and "not doing" are two different things - especially for exactly kids that age. It's the age of self-discovery, of rebellion, doing things they know they shouldn't do, without yet realising the consequences.

      In my time (I was that age in the late 1980s), taking nude pics of oneself and sending it to school friends was just not an option. That's probably the only reason it didn't happen back then, or any time before the early 2000s - the time web cams became ubiquitous, and instant digital shots could be made from the privacy of one's bedroom, with little to no chance of parents finding out. Nowadays of course web cams have been replaced by mobile phones, making it even easier.

      It is more reasonable to understand that there are always kids that actually do this, trying to stop them is futile. Instead teaching general computer security as part of modern day computer lessons would be the way to go. One major part should be to have all people understand that if you can see a picture, you can save that picture, period. No matter what the app proclaims. It may be hard, you may not be able to pull it off yourself, but it can be done, and as a result those pics and other data may end up where you don't want them to.

    17. Re:Excuse me while.. by wvmarle · · Score: 2

      Banknotes are pretty anonymous, if someone steals a banknote from me, that sucks as I lose some money, however if he shows it to someone else there's no additional harm to me.

      Now compare that to digital nude photos, especially the ones with the person's face in it.

    18. Re:Excuse me while.. by wvmarle · · Score: 1

      In turn, helicopter parenting is made so much easier thanks to mobile phones. After all, now there's the option to call your kids every 10 mins, no matter where they are.

    19. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Yeah, it may be true that most people are borderline mentally retarded, but not everyone 15 year old is an idiot.

    20. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Well fuck I may or may not have made a geo cities website featuring my nudes when I may or may not have been 15. thinking back at it that would have been really fucking illegal.

    21. Re: Excuse me while.. by SoOverIt · · Score: 1

      Amen!

    22. Re: Excuse me while.. by Anonymous Coward · · Score: 0

      It's never hard: kids just point the camera of one phone at the screen of another!

    23. Re:Excuse me while.. by Anonymous Coward · · Score: 1

      if they are 15 and under they should not be taking nude photos at all!

      If they are under 15 then there are a wide range of activities they should not be engaging in, but most likely are still going to try. Because that's how life works for kids. Thus we have the role of the Parents, who are supposed to be keeping an eye on things.
      So yes, I do feel a degree of sympathy for the kids because they are young and stupid about such things, and obviously have parents who either cannot, or will not, monitor their actions to prevent such behavior.

    24. Re:Excuse me while.. by Anonymous Coward · · Score: 1

      In turn, helicopter parenting is made so much easier thanks to mobile phones. After all, now there's the option to call your kids every 10 mins, no matter where they are.

      Yes and no. A tech-savvy 'helicopter parent' could install a variety of computer and network based monitoring and logging equipment to hover over every keystroke made by their child. This is not nearly so easily done with a mobile device. Yes, there are some monitoring solutions but they have both technical limitations and drawbacks in terms of social concerns related to how much you really want to train your kids to accept omnipresent surveillance.

      Frankly speaking, we need to make an effort to get basic education in place for technology. Essentially a version of 'Don't take candy from strangers' for the "Digital Age", where we teach kids at an early age to foster a healthy distrust regarding the marketing claims made by applications, companies, etc.

    25. Re:Excuse me while.. by Blaskowicz · · Score: 1

      Parents could install keyloggers and such but then the kid can wipe the OS clean.
      On the other hand with a mobile phone (even a dumbphone that does not do Java) the parent can sign up to a service and get location data, which isn't escaped easily except by switching the phone off and maybe the child having a second, "undeclared" phone.

    26. Re:Excuse me while.. by allo · · Score: 1

      Why not? Because nudes are bad?

    27. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Well fuck I may or may not have made a geo cities website featuring my nudes when I may or may not have been 15. thinking back at it that would have been really fucking illegal.

      Even thinking about that site you made now is probably illegal. Ah, modern crime where the victim and the perpetrator are one and the same.

    28. Re:Excuse me while.. by Zero__Kelvin · · Score: 1

      "... for those that were stupid enough to think that something electronic and stored in a common format over a common communications medium was secure.

      Stupid enough? I hate to break it to you, but most if not all secure systems work in exactly the way you decry to be "stupid". Maybe you've heard of SSL?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    29. Re:Excuse me while.. by ganjadude · · Score: 1

      how does a random 3rd party that you dont know seeing a picture causing "additional harm" to you??

      --
      have you seen my sig? there are many others like it but none that are the same
    30. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      And don't forget about being in possession of the documented evidence of a crime being a crime itself.

    31. Re:Excuse me while.. by wvmarle · · Score: 1

      As long as you can be sure that this third party doesn't know you, you're fine.

      But how can we be sure of that? Maybe this unknown third party uploads it with your name or other identifying information to some image site, Google finds and indexes it, and suddenly people that know you and that for fun search your name in Google, can find it. Same accounts for your future prospective employer, who receives lots of application letters, likes your resume, and a few Google queries later has your private parts in all their glory on his screen. As a result you never get a chance to even come for an interview. Not too far-fetched a scenario.

      So that's how an unknown third party seeing them may hurt you.

      If you happen to be a celebrity (if only as captain of your local school's football club) it's even more daunting.

    32. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      Why not? Because nudes are bad?

      In the USA, and in many so-called "Islamic" states, public nudity is indeed perceived as bad, always.

      In the civilized parts of the world, a more nuanced view is taken, where public nudity per se is not necessarily good or bad.

    33. Re:Excuse me while.. by GrumpySteen · · Score: 1

      People do things they shouldn't do all the time and kids aren't known for being great decision makers. You might as well suggest that nobody under 15 should be allowed to go through puberty for all the good it'll do.

    34. Re:Excuse me while.. by allo · · Score: 1

      I guess, there are many prude people, and you can show some respect. But as long as its kept private (its not public, when two persons send nudes to each other), it should not interest anyone but the two persons.

    35. Re:Excuse me while.. by Jeremi · · Score: 1

      Until the technology has actually matured there's no safe solution.

      Even if SnapChat worked 100% as advertised, it wouldn't be a safe solution, since your recipient could always take a photo of the image using another camera or phone. It's the DRM problem all over again, except now the "publisher" is some teenager rather than the movie industry.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    36. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      people in love

      Hahaha, my sides. This is simply horny teens sending crotch shots to each other thinking they are smarter than their parents.

      If the law wasn't so insane about it, this wouldn't even be a problem.

    37. Re:Excuse me while.. by ganjadude · · Score: 1

      well no, thats still not a random 3rd party seeing a photo of you. you have a bunch of qualifiers that need to be met before it would be causing harm to you.

      --
      have you seen my sig? there are many others like it but none that are the same
    38. Re:Excuse me while.. by wvmarle · · Score: 1

      The problem if the randomness of the third party is that you don't know who it is - for many random third parties it indeed won't matter, but not for all random third parties. You never know where the image ends up.

    39. Re:Excuse me while.. by houstonbofh · · Score: 1

      Yeah, it may be true that most people are borderline mentally retarded, but not everyone 15 year old is an idiot.

      And those are not the ones using snapchat for nude selfies...

    40. Re:Excuse me while.. by houstonbofh · · Score: 1

      Why not? Because nudes are bad?

      Well, the prison time for possession of some of them is bad...

    41. Re:Excuse me while.. by tlhIngan · · Score: 1

      I don't feel sorry for those who thought this was seriously secure, and two, who the hell sends naked pictures of themselves and actually thinks other people won't see them? 1999 called and it wants it's noobs back.

      What, DRM doesn't work? *gasp*

      (Yes, it's a form of DRM).

      Of course, I wonder if iOS8 fixed the "bug" in iOS7 that prevented SnapChat from making a note that a screenshot was captured....

    42. Re: Excuse me while.. by Anonymous Coward · · Score: 0

      Have you ever met a 13 to 15 year old they're sociopaths

    43. Re:Excuse me while.. by allo · · Score: 1

      Which means, if you're over 18 (16?), its bad for you to possess them. But taking them ...

      btw: Are there any court cases about people having or distributing underage photos of themself? That seems to be the corner case for some of the more rigorous laws.

    44. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      I wonder when you people will make it illegal for minors to look at their own naked bodies. Have you thought of that? You can't let children watch child porn!

    45. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      and you can show some respect

      No. What I wear or don't wear is none of people's business. The only reason I "respect" other people's prudishness is for fear of violence or legal consequences. There is nothing respectable about banning nudity. It's an irrational restriction of personal freedom.

    46. Re:Excuse me while.. by Anonymous Coward · · Score: 0

      your future prospective employer, who receives lots of application letters, likes your resume, and a few Google queries later has your private parts in all their glory on his screen. As a result you never get a chance to even come for an interview.

      Are your "private parts" so disgusting? Do you cover your eyes when you pee?

    47. Re:Excuse me while.. by Lehk228 · · Score: 1

      yes there have been convictions in state courts, I don't have citations right now. nude selfies are child pornography and are a crime to possess everywhere in the united states.

      --
      Snowden and Manning are heroes.
  2. Nice article by Anonymous Coward · · Score: 1

    But much more importantly. Link to photos?

    1. Re:Nice article by Anonymous Coward · · Score: 0

      Look in the usual places for a file called "Snappening" might be the right thing or maybe not. Who knows?

    2. Re:Nice article by CaptainDork · · Score: 3, Informative

      Some of the photos were taken by minors. Kids often use poor judgement.

      Adults looking for those photos have no excuse.

      Assuming you're not a jerk looking to exploit children, then it's clear you want adult pornography.

      Try Google.

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:Nice article by wiredlogic · · Score: 4, Insightful

      A healthy percentage of those pictures are going to be of underage teens. They aren't going to be as readily distributed as the celeb leaks because of the real threat of jail time and a ruined life for anyone attempting it.

      --
      I am becoming gerund, destroyer of verbs.
    4. Re: Nice article by Anonymous Coward · · Score: 0

      I had not considered the child aspect :(. I will not have a gander at this set then!

      Thank you for warning me.

    5. Re:Nice article by sumdumass · · Score: 3, Interesting

      I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.

      I'm not saying it is ok to view them or anything, I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand. So if a child takes a photo of themselves for their own reasons, is anyone actual being exploited?

      Or is that a legal term that applied in all situations regardless of any inherent or lack of logical connection?

    6. Re:Nice article by DigiShaman · · Score: 1

      If parents are going to purchase an iPhone or Droid, they shouldn't allow them to install applications. Until they get a job and pay for both the phone and monthly cell bill, as a parent, you have every right to ensure they don't do stupid shit like this. For one, downloading and installing Snapchat.

      --
      Life is not for the lazy.
    7. Re:Nice article by CaptainDork · · Score: 4, Informative

      Good question:

      "Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receiver to prosecution for child pornography. If the picture makes its way around other social circles through online or direct sharing, anyone who received or distributed the photo could also find themselves open to charges."

      --
      It little behooves the best of us to comment on the rest of us.
    8. Re:Nice article by tepples · · Score: 1

      That'd be like buying your kid a Nintendo 3DS but not letting him or her buy games.

    9. Re:Nice article by Anonymous Coward · · Score: 0

      http://www.snappening.com/ Its an event planning site "in a snap"
      They are going to have a weird time soon.

    10. Re:Nice article by DigiShaman · · Score: 1

      Exactly! You don't let them buy games on their own for two reasons. 1: Children aren't likely to have earned money themselves other than through an allowance. 2: Parents have the final say-so in approval of games purchased requested by the child. What moronic parent hands their children cash and lets them spend it on unsupervised media??!

      --
      Life is not for the lazy.
    11. Re:Nice article by GNious · · Score: 1

      Last I looked (i.e. not recently), Android user-accounts require the user to be 18.
      At the same time, I've seen no non-enterprise solutions for locking down an Android phone.

    12. Re:Nice article by allo · · Score: 1

      why is a child exploited, if it sends images it made itself? The leak is not voluntary, but the photos are. So there is nobody exploited, even when the leak may lead to awkward situations. The whole "its child abuse" argument is invalid for selfies.

    13. Re:Nice article by fa2k · · Score: 1

      It's worse, they're promoting copyright violation!

    14. Re:Nice article by allo · · Score: 1

      Indeed!

    15. Re:Nice article by dcollins117 · · Score: 2

      I'm currious if anyone is being exploited in the sense of exploiting children if they take their own pics and you end up seeing them.

      Not in my view.

      I'm just under the impression that the exploitation comes from children being forced or enticed into the photos and the viewer while not participating in the actual act, it enabling it by creating demand.

      It's funny how Hollywood claims that downloading music and movies is destroying the entertainment industries, while the think-of-the-children crowd says downloading photos somehow "creates demand". I suspect both sides are just making shit up to bolster their particular agendas.

    16. Re:Nice article by tepples · · Score: 1

      "Parents ought to forbid from having a paper route and ought to confiscate all birthday money received from other relatives." Do I understand you correctly? And on what criteria should the parent evaluate a particular application before the parent will allow it to be installed on a child's device?

    17. Re:Nice article by Anonymous Coward · · Score: 0

      This. I don't think I bought anything for myself that my parents didn't know about before I left the house at 17.
      Where are these parents that just hand their kids a credit card and say "knock yourself out".

    18. Re:Nice article by CaptainDork · · Score: 1

      Again,

      "Though their laws were created to protect minors from exploitation caused by others, states are prosecuting minors under child pornography statutes for sending nude or otherwise lurid self-portraits, even when the minors sent the selfies without coercion. The common quirk in the laws is that there is no exception for taking or distributing sexually explicit pictures of oneself. Thus, a high school student sending a racy seflie to a boyfriend or girlfriend could subject both themselves and the receiver to prosecution for child pornography. If the picture makes its way around other social circles through online or direct sharing, anyone who received or distributed the photo could also find themselves open to charges."

      --
      It little behooves the best of us to comment on the rest of us.
    19. Re:Nice article by allo · · Score: 1

      I did not doubt it (in fact i did not even consider it, as i do not live in us legislation), but made a argument from the reason / moral point of view, not from the legal one.

    20. Re:Nice article by CaptainDork · · Score: 1

      I apologize for my American-centric view, but my world view is bounded by it.

      Moral points of view are, necessarily, outside the legal system and are within the scope of faith.

      For me, viewing nude pictures of children, whether the source is from immature minors or mature adults, is not so much a matter of ethics violation as it is viewing evidence of a crime.

      --
      It little behooves the best of us to comment on the rest of us.
    21. Re:Nice article by allo · · Score: 1

      I am not sure, if this is a question of nationality, whats your point of view.

      What i DO support:
      - obey the law
      - if you do not like the law, form a group to change it.

      But further: "Have an Opinion!".
      And this does not need to match the law. When i say "with sexting there is no victim", i do not say that sexting is legal, but i it may mean, that i would support laws, which do not mark every picture of a nude child as illegal, disregarding the way they were created.
      I do obey the current law, but if the cause would be big enough for me, i might try to make a petition, engage me in politics or something similiar.

      This is what i mean, when is say there is a (subjective) moral point of view and a legal one.

  3. hard lesson by Anonymous Coward · · Score: 0

    Security and convenience are inversely related, SnapSaved users just learned that lesson the hard way.

    1. Re:hard lesson by gweihir · · Score: 1

      HAVE they learned any lessons? Seems to me the ones with the problem are the users. SnapChat will likely still be there after this blows over.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Tired of it by koan · · Score: 1

    Lets stop looking at the tech involved and look at the human aspect of the problem.
    From cheesy celebs and iCloud to the entire concept of nudies (or whatever) when what the NSA has been doing, collecting EVERYTHING, is common knowledge, and the "news" media is rife with hacking stories.

    It isn't the tech involved, it's the stupidity/ignorance of some humans.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Tired of it by sumdumass · · Score: 1

      I saw a bumper sticker that said you can't fix stupid. I think that is right because a lot of these people do not want to learn the details and scary parts of a lot of these things. It's like the TV, they want to push the button or rotate the knob and have it come on and be useful to them (entertainment). They do not want to be bothered with how a signal is transmitted or how the TV translates that to something they might want to watch- they just want it to do it's magic behind the scenes so they can enjoy what it produces.

      This is probably why most people do not care or even put the NSA on their radar. What would fix that might be a hollywood movie to TV show that depicts several teens getting busted for some serious crime they had no part in because of data mining by the NSA and some cleaver circumstantial evidence. But then again, they might just think it is some story line plot with special effects and ignore it if it causes them to think outside their comfort zone very much. So the tech involve will likely have to account for the fact that you can't fix stupid to some degree.

    2. Re:Tired of it by Anonymous Coward · · Score: 1

      I saw a bumper sticker that said you can't fix stupid.

      Sure, but you can fix ignorance. Snapchat strongly markets the feature that the pictures disappear (it's really the only thing they're banking on). Since the beginning, that was very misleading, almost to the point of being completely false. While looking at said picture, the user can take a screenshot, take a picture of their phone with another camera, or use a variety of apps to capture the image.

      IMO, it should be made more clear that it's similar to automating the act of deleting all pictures you receive. For example, if they added a "feature" of being able to selectively save an image while you're viewing it, it would make it much more clear that the sender has zero security and should not assume the image will disappear soon. I'll admit that snapchat does do more than just an autodelete by significantly reducing the places and times when image data exists (ex. not writing it to long term storage / flash; removing it from memory after it has been viewed; etc), but they simply can't guarantee anything to the sender, and it does NOT take some elite hacker on the other end to save the picture (which is what many naive users think would be needed). This level of ignorance CAN be easily fixed.

  5. So wait-- where's the outrage? by Anonymous Coward · · Score: 3, Insightful

    Where are all the Lovejoy Law paternalists who normally go after tor and p2p services? Shouldn't they be going after Snapchat for the same reason?

  6. The rules are the problem by fermion · · Score: 2
    Collecting personal information on users is the status quo. All backends, be it google, apple, ms, collect information on users. It is how they make money and 'improve the product'. So instead of being in a position where everyone can agree that private information is private, we live in a world where we have to really work to understand what information is private, and what isn't. We see this with law enforcement and text messages. Most would say they are private, but law enforcement says they are public information. It is a small jump from text messages to photo sent to another person. If information collection were not the norm for everyone, then perhaps we could be upset that private information is being collected. But the web site provides a service, and of course it is going to take it's cut, in the forms of saving photos, for providing that service.

    This is the way the web works. Service in exchange for private information. If it were 2000 it might be surprising. But it is not. And most everyone who is using snapchat has grown up in a world where such is standard mode of operation.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  7. Who's responsible for the lack of security? by ZipK · · Score: 1

    Perhaps Evan Spiegel and Bobby Murphy can blame the lack of security on Reggie Brown. Too bad they weren't given an opportunity in their depositions

  8. Eyeball Security by Anonymous Coward · · Score: 1

    "Without controlling the endpoint devices themselves"

    This guy's right guys. Snapchat doesn't have control anyone's eyeballs yet and as a result you cannot consider this software secure.

  9. Please call this "the snappening" by Snotnose · · Score: 1

    If there is a god of truth and justice, the fappening is being followed by the snappining.
    / not a snapchat user
    // nor 4chan
    /// nor TPB, um, I plead the 5th here.
    //// stupid is as stupid does

  10. A Novel Idea.... by Anonymous Coward · · Score: 0

    Don't take naked pictures of yourself...

    1. Re:A Novel Idea.... by russotto · · Score: 2

      Don't take naked pictures of yourself...

      Why not? Looking at them is going to hurt you a hell of a lot more than it hurts me.

    2. Re:A Novel Idea.... by Anonymous Coward · · Score: 0

      Your lack of empathy is far more disturbing than anyone's foolish trust. It's sad and funny.

    3. Re:A Novel Idea.... by nystire · · Score: 1

      Do you include links to brain-bleach or eye-ball sized spoons with your pictures? :)

  11. half-true, half-not-true by Trepidity · · Score: 1

    It's true that without controlling the endpoints, Snapchat can't stop one particular attack vector: the people who control those devices saving images themselves. The usual "DRM" problem.

    But what seems to have happened here is that users installed an app which, unbeknownst to them, sent copies of the images to a third-party server. That threat model is possible to guard against, although it's arguably more an issue with Android than Snapchat that something like that easily happens without users noticing, because Android's app-permission model leaks like a sieve.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    1. Re:half-true, half-not-true by Gaygirlie · · Score: 1

      But what seems to have happened here is that users installed an app which, unbeknownst to them, sent copies of the images to a third-party server.

      No, it was the recipients who used Snapsaved. If you can receive the image, you can save it somewhere, too.

      That threat model is possible to guard against, although it's arguably more an issue with Android than Snapchat that something like that easily happens without users noticing, because Android's app-permission model leaks like a sieve.

      Don't try to blame Android for this. There is nothing Android can do to stop people from hooking to other peoples' APIs, especially when the server isn't even running on Android at all.

    2. Re:half-true, half-not-true by Trepidity · · Score: 1

      Android could perfectly well let you give an app local permissions without giving it call-out-to-the-network permissions. Snapsave shouldn't need to ever call out to external servers in the first place, if it does only what it advertises.

      Android doesn't do this because of their broken ad-based ecosystem, though: they don't want to draw your attention to apps that unnecessarily call out to the network, because the most common reason for doing so is to show ads.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    3. Re:half-true, half-not-true by Gaygirlie · · Score: 1

      In your rush to complain about Android you made a few mistakes, there. For one, it's an alternative client on Android to the official one, so how would you actually use it without network-permissions? Secondly, they also offered a web-client useable on browsers, useable on desktops and laptops and whatnot, so again, how's Android at the fault for stuff that isn't even running on Android?

  12. Web Server 101 by Anonymous Coward · · Score: 3

    "...was created to allow Snapchat users to access their sent and received images from a browser...

    "...but which also secretly saved those images on a SnapSaved server

    Uh, hold up there, genius Snapchat users. Perhaps this is oversimplifying a bit, but let me remind you how a server works .

    You see, images are uploaded to server storage in order to be served to your browser as you so deftly requested to access at a later time...you know, with a browser.

    What the hell do you mean "secretly" saved?!?

    I suppose the rest of the worlds servers magically save their images nowhere. And totally in secret so no browser could find it, right?

    And yet you're now shocked and appalled to find images all over your Snap Saved server.

    SMFH

    1. Re:Web Server 101 by GTRacer · · Score: 1

      SnapSaved's server != SnapChat's server.

      The problem isn't SnapCHAT's servers, or the client-server model. It's that this app was allowing users to bypass SnapChat's supposed anti-copy protections WHILE ALSO making its own copies.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  13. Bad Conclusion by Anonymous Coward · · Score: 0

    Controlling the endpoint is not enough. Even controlling the pipes the data goes through isn't enough. Bigger and more important things than this are getting hacked. Perfect security is impossible.

        In Snapchat's case they do a pretty good job considering the fact that users can literally take a picture of their screen with a camera if they want to keep the pic they got sent. No one in the right mind should be thinking something sent with Snapchat is really going to get deleted.

        For people using 3rd party apps... yeah, trojans, never heard of them? Oh well. You took the risk, you got burned. It happens. Maybe you should just stick with sending pictures of your cat over the internet if you don't want the world to see what you're sending.

  14. IDWISOTT by pushing-robot · · Score: 3, Insightful

    Ars Technica identifies the culprit as SnapSaved, which...secretly saved [users'] images on a SnapSaved server

    In related news: Mysterious Twitter-related injuries traced to users of popular addon service TweetAndWeHitYouWithASpanner.com

    (and why in god's name does a service like SnapChat have an API?)

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:IDWISOTT by Gaygirlie · · Score: 1

      (and why in god's name does a service like SnapChat have an API?)

      Because it's not possible to design a server-client model without an API?

    2. Re:IDWISOTT by pushing-robot · · Score: 1

      I mistakenly thought the API was public; it would be nice if certain clueless news sites (and the author of TFS) would point out this is a reverse-engineered interface.

      It might as well be public, though, considering how long ago it was discovered and how many apps/services/libraries are using it. Snapchat is supposed to be in the business of privacy; if they won't give full effort to protecting their users they deserve this fiasco.

      --
      How can I believe you when you tell me what I don't want to hear?
    3. Re:IDWISOTT by drinkypoo · · Score: 1

      (and why in god's name does a service like SnapChat have an API?)

      If you find yourself asking why a service has a programming interface, you have found yourself on the wrong website.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. never was secure, the whole premise is flawed by Anonymous Coward · · Score: 0

    Has everyone forgotten about the analog hole?

    captcha: arousing

  16. Still an bad excuse by Anonymous Coward · · Score: 0

    There are too many files in the leak, which do not qualify as anything, somebody would want to save. This is a snapchat leak, not a leak of images people are saving, because they like the nudes, etc.

  17. film at 11 by Hognoxious · · Score: 2

    Ill-conceived idea turns out to have been badly implemented. Film at 11.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  18. Duh by Anonymous Coward · · Score: 0

    Snapchat is a stupid idea to begin with. Ephemeral communication is distrustful of the recipient, and there is no way to securely disclose something to someone you distrust. Securechat could only have worked as a DR rootkit, but then nobody would have tolerased using it. Plua there's the analog hole.

  19. hostgator... by Anonymous Coward · · Score: 0

    that's where i quit reading. that says enough right there.

  20. Web Server 101 by Anonymous Coward · · Score: 0

    Actually, I thought the whole point of SnapChat was that it severely limited the lifespan of a text? Like 30 seconds or something. Therefore I am completely befuddled by a service named "SnapSaved". Why save a SnapChat??