People
on the anonymous online messaging forum 4chan claim to have accessed
the cloud storage servers of a third-party application that lets
Snapchat users save images.Credit Peter Macdiarmid/Getty Images
Members
of anonymous online message boards claim to have accessed hundreds of
thousands of private photographs shared on Snapchat, a popular photo
sharing service, just weeks after a celebrity hacking scandal drew
increased attention to online privacy concerns.
But the photos do not appear to have come directly from Snapchat.
Instead, the
collection of photos of noncelebrities, which some claim is as big as
200,000, appear to have come from the accounts of people using
Snapsaved, a smartphone tool that its creators said would allow users to
store photos from their Snapchat accounts that normally disappear after
10 seconds.
At least one person on
the anonymous online messaging forum 4chan claimed to have accessed
Snapsaved’s storage servers to gain access to the photos, saying links
to allow anyone to download the images would be posted online.
News of the photos
began circulating widely after Kenny Withers, a social media strategist
from Vancouver, Wash., began blogging about the message board
discussions. It is not currently possible to confirm the authenticity of
the claims being made on 4chan.
Snapsaved itself is a
bit of a mystery. It is not affiliated with Snapchat and it is not
immediately clear who created it. The web address for Snapsaved.com does
not appear to be working. Earlier, it was redirecting traffic to an
obscure e-commerce site.
It also does not
appear that Snapsaved was ever available on the Google Play app store.
To install it, users would probably have had to go directly to the
Snapsaved site — something Google strongly discourages because of
security concerns.
The Internet address
Snapsaved.com was registered on Oct. 17, 2013, and was set to expire on
Oct. 17, 2014 — next week. There was no response to an email sent to a
Facebook account for Snapsaved, which was created a week after the
domain name was registered. The Facebook page has not been updated since
March 2014.
The registrant of an
Internet address can typically be identified through what is called a
“Who is” search. But the registrant of Snapsaved.com used a service
meant to conceal the identity of an address’s owner.
Questions arose as to
which application was the origin of the alleged theft. In a footnote at
the bottom of Snapsaved.com, the creator of the site listed it as
SnapSave Online Inc. 2013, which is similar to another app with an
almost identical name: Snapsave.
Georgie Casey, the creator of Snapsave, said that no photos had come from his service, and directed queries to Snapsaved.
“My app just saves Snaps to your Android phone, nothing is ever sent to my server,” Mr. Casey said.
A week before the Snapsaved.com website was registered, a number of news sites wrote about Mr. Casey’s app and another, similar app.
Snapchat said on Friday that, if the cache of photos was real, they did not come from Snapchat.
“We can confirm that
Snapchat’s servers were never breached and were not the source of these
leaks,” a Snapchat spokeswoman said in a statement. “Snapchatters were
victimized by their use of third-party apps to send and receive Snaps, a
practice that we expressly prohibit in our Terms of Use precisely
because they compromise our users’ security.”
“We vigilantly monitor
the App Store and Google Play for illegal third-party apps and have
succeeded in getting many of these removed,” she added.
Though Snapchat has
said its servers have not been compromised, some security experts still
say the messaging start-up still bears some responsibility, at least to
better educate its users.
“For mobile
applications like Snapchat, consumers are not aware of the risks with
using these associated third-party apps, and do not have security in
mind,” said Chris Wysopal, chief technical officer at Veracode, an
application security company. “Without an independent security review,
there is not much Snapchat can do here except try to ban vulnerable or
malicious third party apps that put their users at risk.”
Others security
researchers see the incident as a cautionary tale for non-Internet-savvy
users who may be too willing to hand over their private information.
“You’re still sending a
photo to another end user,” said Patrick Wardle, director of research
at Synack, an application security firm. “Once you send off that photo,
they can do whatever they want with it.”
Snapchat has had
issues with its security. In January, the start-up received intense
criticism after a third-party application was able to expose the names
and phone numbers of nearly five million Snapchat users. Snapchat had
been warned by security researchers of a vulnerability in its security.
At the time, the company dismissed the concerns.
The allegations come
not long after a group of hackers stole private photos from a number of
celebrity accounts on Apple, and used online web forums like 4chan and
Reddit to distribute the stolen content. Apple faced intense criticism
in the wake of the theft. The actress Jennifer Lawrence, one of the
celebrities whose photos were stolen, called the acts “a sex crime.”
News of the stolen
Snapchat photos spread over the past week, as an unidentified 4chan
member claimed to have obtained the photos, saying links to access
them would be released late Thursday evening.
Mr. Casey of Snapsave said he had been wary of the Snapsaved site when he first saw it.
“I came across it
first around April 2014 and it had something like 100 Facebook likes,”
Mr. Casey said. “I assumed no users would be stupid enough to enter
their log-ins on a random website, but your average Snapchat user isn’t
very tech savvy.”
