Hackers have been collecting nudes off Snapchat for years

[Dan Druff]

Kids today....

Snapchat is a popular app where you send pictures/videos of yourself to people which "expire". Teens like using Snapchat to send nudes, because they naively believe that their pics and videos will really vanish seconds after being seen.

I always thought this was idiotic. Even someone with no technical skill can easily use a second device to "take a picture of a picture" and save the video/picture permanently.

Always felt that Snapchat gave these idiotic kids an incorrect illusion of security.

And it's much worse than I imagined.

Turns out hackers have claimed to have infiltrated Snapchat years ago, and have been storing many files to have passed through the service for years.

A massive 13 GB data dump was just released on Thursday, and will soon be indexed and made available to the public, including pics of underage teens.

Whoops.

http://www.businessinsider.com/snapc...pening-2014-10

[Dan Druff]

Also in January, hackers found a way to match phone numbers with user names on the app, and released a list of 4.6 million of them.

Ooooops.

http://www.businessinsider.com/snapc...apology-2014-1

[DirtyB]

Turns out hackers have claimed to have infiltrated Snapchat years ago, and have been storing many files to have passed through the service for years.

It doesn't look like Snapchat, the company, had anything to do with it.

"A third-party Snapchat client app has been collecting every single photo and video file sent through it for years, giving hackers access to a 13GB library of Snapchats that users thought had been deleted."

The only people who got burned are people who went to snapsaved.com, specifically trying to save pictures that Snapchat was trying to delete- and unfortunately the people who were sending them pictures. 13GB is a lot of pictures, but it's probably 60 seconds of what the actual Snapchat servers get.

What confuses me is why Snapchat would have third party clients. Companies open up their interfaces so that other people will essential do development work for free, and save the company the expense. But Snapchat has an official client. And if the whole purpose of your service involves the forced deletion of files, it seems like having complete control of the client is important.

[sonatine]

Yeah not to defend Snapchat's security but this had nothing to do with Snapchat, its a 3rd party app that took the Snapchat API and modified it so you could save pics you receive.

[BeerAndPoker]

Well... they haven't made great night vision web cams yet or else everyone's computer gets hacked into and everyone's cock or pussy is on the net.

[sonatine]

What confuses me is why Snapchat would have third party clients. Companies open up their interfaces so that other people will essential do development work for free, and save the company the expense. But Snapchat has an official client. And if the whole purpose of your service involves the forced deletion of files, it seems like having complete control of the client is important.

How do you confirm the integrity of an application remotely? Especially one as unsophisticated as Snapchat. Its just a bunch of very simple, very straight forward API calls:

http://gibsonsec.org/snapchat/fulldisclosure/

nahmean?

The only way you could get anywhere would be doing like hash checksum of the client binary and using that as some sort of salt, but then you have issues with people running older clients/newer clients.. plus one could do end-runs around the checksum routine in memory, soo...

[Dan Druff]

Yeah I saw after I made this post that it was a third party app.

But didn't the snapsaved site also victimize people who SENT pics to people running it? So like you could have used the regular Snapchat app, someone on snapsaved received it, and then your picture ends up on 4chan. So that's still pretty bad.

[zealanddonk]

Turns out hackers have claimed to have infiltrated Snapchat years ago, and have been storing many files to have passed through the service for years.

It doesn't look like Snapchat, the company, had anything to do with it.

Druff prefers the sensationalised headlines RIGHT NOW and maybe apologising a little later. Much like how British pokerstars players wont be able to play ROW and and and.

[chinamaniac]

Even someone with no technical skill can easily use a second device to "take a picture of a picture" and save the video/picture permanently.

Easier to just screenshot it without the second device

[sonatine]

Yeah I saw after I made this post that it was a third party app.

But didn't the snapsaved site also victimize people who SENT pics to people running it? So like you could have used the regular Snapchat app, someone on snapsaved received it, and then your picture ends up on 4chan. So that's still pretty bad.

i dont have the technical details but the path of least resistance would be to have snapsave authenticate off the main snapchat servers, receive updates from the main snapchat servers, download images from the main snapchat servers, but _send_ images to other users by proxying the image, destination address, and session key through an arbitrary host...

lots of ways to skin that cat, is my point. up to and including sending everything direct through the main hosts and simply resending a copy of everything sent and received to an attack server. id imagine someone would catch that shit fast tho...

[Brittney Griner's Clit]

yeah... hackers...

[DJ_Chaps]

yeah... hackers...

[Baron Von Strucker]

again not one fucking pic, title of thread had lots of potential and than..... flat tire nothing.

good night.

[Dan Druff]

again not one fucking pic, title of thread had lots of potential and than..... flat tire nothing.

good night.

Most of those pics I wouldn't allow here anyway, as the people featured would primarily be under 18.

[tyde]

Yeah I saw after I made this post that it was a third party app.

But didn't the snapsaved site also victimize people who SENT pics to people running it? So like you could have used the regular Snapchat app, someone on snapsaved received it, and then your picture ends up on 4chan. So that's still pretty bad.

Todd please stop pretending that you're an expert master hacker/programmer even close to being in the same league as Sonatine

its like comparing Pop Warner to the NFL

[lewfather]

Even someone with no technical skill can easily use a second device to "take a picture of a picture" and save the video/picture permanently.

Easier to just screenshot it without the second device

It sends a notification that your picture was screenshot to the person that took the picture

[Dan Druff]

Yeah I saw after I made this post that it was a third party app.

But didn't the snapsaved site also victimize people who SENT pics to people running it? So like you could have used the regular Snapchat app, someone on snapsaved received it, and then your picture ends up on 4chan. So that's still pretty bad.

Todd please stop pretending that you're an expert master hacker/programmer even close to being in the same league as Sonatine

its like comparing Pop Warner to the NFL

Let's not start this crap again, Marty.

This Pop Warner quarterback demonstrated plenty on your own various sites, so I would think you'd be be the last person hitting be with this line of trolling.

The truth is that I just skimmed the article and posted it here, which is why I initially left out the important detail that it was a third party app involved.

[sonatine]

Easier to just screenshot it without the second device

It sends a notification that your picture was screenshot to the person that took the picture

in generic terms this is correct.

but in terms of street level sneaky shit, it is not entirely true.

example; if you call the API for screensave, then the application recognizes that and phones it in.

but if you install a third party app that defines the screensave API from the ground up with a new name, a new function key to spawn it, i do not believe that would be caught by the app and reported.

[sonatine]

also druff and i have the EXACT same amount of rep.


EXACT.


DEAL WITH THAT NERDS.

[Seth]

Todd please stop pretending that you're an expert master hacker/programmer even close to being in the same league as Sonatine

its like comparing Pop Warner to the NFL

Let's not start this crap again, Marty.

This Pop Warner quarterback demonstrated plenty on your own various sites, so I would think you'd be be the last person hitting be with this line of trolling.

The truth is that I just skimmed the article and posted it here, which is why I initially left out the important detail that it was a third party app involved.

You do realize you are communicating with a guy whose neighbor is punching stray dogs in the stomach?