The Vulnerability of Snapchat
The year 2011 marked the creation of the popular smartphone application Snapchat. The app allows users to send and recieve photographs and videos to and from other users. Once a picture or video on the app has been opened, it will expire after a designated amount time from the phone of the recipient and the Snapchat server itself; a picture can be set to last from one to ten seconds and a video expires after it is played. The app also contains a chat feature; chats from user to user disappear over time, usually after the app is closed and reopened. If a user wants to reopen one of the pictures or videos they receive, they have the option of replaying it within a few seconds of opening it for the first time. This can only be done once every twenty-four hours. The app sends about 700 million photos and videos a day, with over half of the users being between the ages thirteen and seventeen.
In 2012, apps begin to appear on smartphone marketplaces under various names such as SnapSave and Snap Spy. These apps not only offered a user with a Snapchat account the ability to save the photos and videos they received on Snapchat, but it allowed them to do so without alerting the sender. Photos or videos saved through this method could then be stored and distributed by the recipient for whatever purposes they desired.
In October of 2014, an event brought this problem to light in the form of a huge collection of data from Snapchat (stored on a third-party apps website) being released. This mass leak of data from Snapchat, was dubbed the Snappening (a conjunction of the words Snapchat and Happening). An exploit in the website, known as SnapSaved led to a data breach that resulted in the release of around 12.7 Gigabytes of data, roughly translating to around 88,521 images and 9,173 videos. While it is unknown what percentage of this data contained pornographic or suggestive material, the sheer amount of data released is overwhelming.
Alarming rumors soon spread on 4Chan that databases were under construction to link the information to individuals. Security experts proved these rumors false, finding it close to impossible to link the files to specific Snapchat usernames, with the exception of 320 usernames for which files had been saved in an alternative naming format.
Snapchat would later comment on the leak by blaming third party apps that bypassed the Snapchats security features:
“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”
Owners of the third-party app SnapSaved disputed that it was the source of the leak. In a post on its Facebook account the company announced that only 500 mb of information had been stolen from its servers. Regardless of how much information was gathered and from where, the fact that many users of Snapchat are underage qualifies some of the contents of the leak as child pornography. This led to Reddit banning many of the discussion boards that featured the file containing images from the Snappening.