The “Snappening” Proves Self-Destructing Messages Are Not That Secure

According to some hackers on 4chan, up to 200,000 Snapchat images may have been stolen from a third-party service that got hacked. The hackers claimed that a searchable database of tens of thousands of pictures (including nude images) and videos will soon go live.

It seems the third party service that was hacked is called SnapSaved.com, but the service was shut down months ago (possibly after the owners found out about the hacking themselves). The site allowed users to save the supposedly "self-destructing" images from Snapchat and check them out later on the web.

Snapchat put out a statement in response to the leak, nicknamed the "Snappening," saying the following:

"We can confirm that Snapchat's servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users' security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed."

The statement may be true, but it doesn't completely absolve Snapchat of all blame. Snapchat's main marketing message has been that you can safely take pictures that self-destruct within 10 seconds, making millions of people believe that their pictures are "private."

Unfortunately, Snapchat messages aren't even encrypted end-to-end (such as when using an open source app like TextSecure), which means the company itself can decrypt them. In fact, Snapchat's Director of Operations has admitted before that the company give authorities access to Snapchat images, as long as they haven't been opened yet by the recipient.

For agencies like the NSA or GCHQ (which has spied on nude pictures and videos before) that get access to Internet cables and collect all the data going through them, the "self-destructing" feature is completely irrelevant. If the messages aren't encrypted end-to-end, and they've done a Man-In-The-Middle attack against Snapchat's servers, then it can be rather easy to snag such messages in transit, before they are ever "self-destructed."

Without end-to-end encryption, you also can't be sure that Snapchat's servers don't have a cache of the photos somewhere, for redundancy purposes. If the images are not overwritten properly, it could also be possible to retrieve them with forensic tools.

The bottom line is that you shouldn't expect your messages to be completely self-destructed, and you should know that there may be a chance the images were saved somewhere. Until Snapchat adds end-to-end encryption, such a chance, however small, will always exist.

Snapchat has even had issues in the past with the self-destruction itself. Researchers discovered last year that the self-destructed images were actually saved in a directory called received_image_snaps on Android.

Last year, 4.6 million usernames and phone numbers also leaked online due to the weak security design of Snapchat's username discovery API. The company got in trouble with the FTC as well, and it was forced to admit that the self-destructing images claim was actually "false."

Although the current hacking happened to a third-party service and not to Snapchat's servers, it seems Snapchat keeps getting into security troubles. The reason for that is because the service doesn't have solid enough security that could have prevented supposedly private/self-destructing images from leaking to other websites.

Snapchat's users have a certain expectation about the service. Many are using it because they think it's a much more secure alternative to Whatsapp, Facebook Messenger, Google Hangouts, Skype or other chat apps. If it's not, then perhaps its users need to realize the app is no better than other weakly-secured chat apps out there.

The fact that 50 percent of Snapchat users are between 13-17 years old (and are sending each other potentially very private photos of themselves) makes securing the messages, even against the company itself through end-to-end encryption, that much more important.

The company shouldn't want pictures of minors leaked on the web, and it should adopt the maximum amount of protection for those pictures if it's going to continue to claim that the photos sent using its app are private and disappear forever, from all places.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • ddpruitt
    If you actually believed that the Snapchat messages are secure you're a moron. There are more security holes in this model than a block of swiss cheese.
    Reply
  • Christopher1
    End to end encryption ,as the article states, is a MUST if things are truly going to be secure and it should be a relatively high encryption..... 2056-bit at least.
    Reply
  • SnappeningLeak
    Scary stuff....
    http://thesnappening.info
    Reply
  • NightLight
    the word "duh" comes to mind...
    Reply
  • master9716
    im waiting on the Miesha Tate photos but they haven't released them yet!!!!!!!!
    Reply
  • cypeq
    this will take roll or two
    Reply
  • cypeq
    good luck with 2056 bit encryption you'll have fbi and nsa at your door at 1k
    Reply
  • cypeq
    good luck with 2056 bit encryption you'll have fbi and nsa at your door at 1k
    Reply
  • cypeq
    good luck with 2056 bit encryption you'll have fbi and nsa at your door at 1k
    Reply