Skip to main content
November 26, 2014

It's Snappening: What the Snapchat Hack Teaches Us about Third-Party AppSec

It's Snappening: What the Snapchat Hack Teaches Us about Third-Party AppSecSnapchat: This love-it-or-hate-it app, famous for turning down 3 billion of Facebook's dollars and infamous for being the easiest way yet to send risque photos, is in an interesting place. It's theoretically worth a lot, it's on almost everyone's phone, and it has virtually no infrastructure. The company seems to embrace glitches, flaunting its kitschy (or just downright bad) coding as part of the Snapchat experience. If it doesn't last very long, why spend much time on it? Well, I can think of a few good reasons — but I digress.

The Snapchat Hack: What's Snappening?

In the last few weeks, hackers have boasted online about "The Snappening," a Snapchat data breach from which they obtained hundreds of thousands of stored Snaps. Snapchat has deferred responsibility, claiming that the hackers used third-party Snap-storage apps to gain access to users' accounts — a blatant violation of the app's terms of use.

This is interesting for several reasons. First of all, how many of us violate apps' terms of use on a daily basis? Tweet schedulers, plug-ins and embedded links, oh my! Innocuous though they may be, one bad third-party app(le) can spoil the whole bunch. So it goes with Snapchat, whose proliferation of spin-off apps — each promising to invisibly save all the Snaps you receive — led to a critical data breach. On the one hand, there is little sensitive information stored in these fleeting images that could lead to long-term headaches. On the other, our likenesses, nude or covered in squiggly Microsoft Paint-esque drawings, are considered personal. My credit card company can restore my lost funds, but not my dignity.

The problems specific to The Snappening are nuanced, but the greater issue they point to is a big one: Whose problem is it when third-party apps lead to breaches in major networks? Often users are required to enter their usernames and passwords into these applications while dismissively checking off all the user agreements and waivers that grant access to everything and take responsibility for nothing. Today it's your selfies, tomorrow it's your Twitter account, the next day, who knows?

. . . And Who's to Blame?

The plot thickened soon after news of the breach, as the (allegedly) culpable third-party app, Snapsave, denied responsibility, claiming that usernames and passwords were not required for its app. Cached screenshots of older versions proved this to be false, which points to a halfhearted attempt at a cover-up. Later, Snapsave admins corrected their earlier denial, admitting that their library was compromised while attempting to downplay the amount of information accessible. This should give us pause as we trust third-party applications to protect our data with the same vigilance as the main apps we're augmenting. The reputation of major social networks is worth a lot more than some piggyback app built by a random guy in his free time, so they go to much greater lengths to protect their users. The Snappening is a frightening reminder of why we must guard our networks and vet all third-party applications and processes.

As hackers continue to prove every day, remote access or a single username are often all it takes to infiltrate an entire network. Since many computer users insist on using one or two passwords for everything, a Snapchat hack might grant password access to other personal information, such as your e-mail or network credentials. It's already been proven that hackers can trace your phone number by trolling Snapchat user databases, and the internet is, by nature, interconnected. We log into social networks with our email addresses, and into apps with account information from our social networks. The risk of third-party plug-ins is real, and the solution is complicated.

Comprehensive Security Is Key

Within networks, a comprehensive security solution should offer full third-party vetting, block an application or its features if they do not meet requirements and make users aware of potential problems when they seek to download new, untrusted software. Education is also critical to preventing such basic, potentially catastrophic problems. Requiring complicated, specific passwords inside of sensitive networks is a pain for individual users but a major step toward the greater good. If your network requires ridiculous passwords, users will shy away from repeating them for their Snapchat and Buffer accounts. That way, when The Buffet occurs, you will be protected.

Photo Source: John Montesi (Author)

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.