Snapchat warns users outside apps 'can't be trusted'
Snapchat tells its more than 100 million users that some third-party apps pose a threat. But the photo-sharing service doesn't address why outsiders were able to connect to Snapchat in the first place.
Snapchat cautioned its 100 million active users on Tuesday morning to stay away from any and all apps that claim to work with its messaging service.
Snapchat, which lets users share a photo or video that's deleted soon after the recipient sees it, has been under fire since last week. A third party-service that connected to Snapchat and allowed "snap" recipients to back up the photos and videos sent to them was hacked. More than 13 gigabytes of data -- most of them photos that Snapchat users had stored on the third-party site - were stolen and made public, including tens of thousands of sexually explicit images. The hack affected about 200,000 Snapchat users.
Snapchat blamed the third-party services for putting Snapchat users at risk in a new blog post today. "It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem," Snapchat wrote today. "That's why we haven't provided a public API to developers and why we prohibit access to the private API we use to provide our service."
This is the second time since the breach was reported that Snapchat has said third-party Snapchat services were at fault, and that users assume multiple risks by using them. On Friday, Snapchat told CNET News in a statement that its users were "victimized" by using third-party Snapchat services, which often back up the photos and videos posted to Snapchat without the sender's consent.
Snapchat told CNET News said that third-party use of its API is, "a practice that we expressly prohibit in our Terms of Use" because they "compromise our users' security."
At least two independent security experts think Snapchat, founded in 2011, bears at least part of the responsibility for the hack. It should have secured its API in the first place, said Chris Eng, vice president of research at computer-security research firm Veracode. Snapchat "absolutely could" have better security, he said.
"They are using Terms of Service instead of having strong security in place, Eng told CNET. "From a security perspective [that] has zero effectiveness...they are trying to do the absolute bare minimum without considering how effective it is."
Patrick Wardle, director of research at security-intelligence firm Synack, said that part of the problem is that all APIs -- including Snapchat's -- are designed to have services connect to them. If a third-party service knows how an API is built, all it needs are user login credentials to connect to the service.
"Whether or not the API is public or private, if users are providing their account information then hackers can still make use of the API to access user content," Wardle said. End-to-end encryption, which is used to protect electronic messages from being spied on, would help Snapchat ensure not only user privacy but also limit API access, Wardle said.
Snapchat didn't respond to a request for comment.
The stolen photos and videos were taken from an unauthorized third-party Snapchat service called Snapsaved, which backed up users' "snaps." Snapsaved was one of many unauthorized third-party Snapchat services, which shut down several months ago. Snapsaved said it was to blame for the hack in a Facebook post on Saturday. It said 500 megabytes of photos and videos had been stolen, not 13 gigabytes.
Complicating the hack is that at least one estimate says half of Snapchat's users are teenagers between 13 and 17 years old, and many of the photos and videos are rumored to be sexually explicit. Snapchat isn't saying how many of the photos were sexually explicit and neither is Snapsaved. But one user of the popular Internet community Reddit said that of the 13 gigabytes of stolen snaps, around 100 megabytes were of pornographic photos and videos. That still translates into tens of thousands of images.
Since its debut, Snapchat has become the third-most popular social media app in the US, behind Facebook and Facebook's photo-sharing service Instagram, because of its ability to automatically delete messages. Facebook reportedly tried to buy the startup for $3 billion last year.
The Snapsaved hack follows September's attack against Apple's iCloud service, which targeted photos of celebrities, including actress Jennifer Lawrence, in sexually explicit situations. Lawrence told Vanity Fair that the iCloud hack isn't "a scandal. It is a sex crime," and attacked the sites that posted the stolen photos and called them "disgusting."
CNET staff writer Ian Sherr contributed to this report.
Updated at 2:18 p.m. PT with comment from Patrick Wardle.