In response to the most recent Snapchat leak —now called “The Snappening” in homage to the recent leak of celebrity nudes — a statement has been posted on the company blog regarding the unlawful use of its unofficial API. And in classic Snapchat fashion, the company is taking almost zero responsibility.
Last week, a third-party application called Snapsaved that uses a reverse engineered Snapchat API was hacked, leading to a leak of over 500MB images from Snapchat users. While Snapsaved is most certainly and admittedly responsible for the latest breach, the Snappening (among other past indiscretions) has raised the question of whether or not Snapchat has done enough to prevent third-party applications from accessing its API.
As explained here Snapchat has never officially allowed a third-party applications to access its API, though it isn’t difficult to reverse engineer. An official API or application programming interface, is often used to allow third-party apps to access services like Twitter or Facebook, but Snapchat doesn’t provide one — so programmers figure out the characteristics on their own and create unofficial clones or utilities that send data over Snapchat’s network.
What does matter is that third-party applications do have access to Snapchat photos, and Snapchat can do almost nothing about it. Snapchat’s photo security will always be in question while these third-party apps take advantage of an un-regulated API.
This is the curse of many social services that make it to the big leagues. That is why many of these services, like Twitter and Facebook and others, have developed official APIs, giving them the ability to track third-party applications and police their own platform with complete control.
Snapchat, as a young app, has yet to do that. In the past year, major announcements from the company focus on the expansion of their “Stories” product, which is most likely going to turn into a main source of revenue for the highly valued, non-revenue generating company.
According to the statement from Snapchat, the company is “excited by the interest in developing for the Snapchat platform” but “going to take [their] time to get it right.” No hint of a timeline or even mention of actively working on a private API, which, again, is the only way to actually solve the problem of third-party applications accessing user data and ultimately, taking responsibility for Snapchat’s community of users. Snapchat seems almost reluctant to do so.
Snapchat has urged users to stay away from any third-party application that claims to use or modify Snapchat services. They say that “a combination of common sense and security countermeasures” is the best way to keep the community safe. Again, no mention of responsibility for the mess.
Unfortunately, even users who never downloaded or use a third-party Snapchat application can still be punished or violated by other users who have made the unfortunate mistake (or malicious decision) of using a third-party app. These apps are viruses in the ecosystem, such as it is.
Even if the apps themselves have no ill intent, crappy decisions about storing images or security can expose user data — in this case photos that they would have liked to have remained private or disappeared forever.
In a statement to the Verge yesterday, Snapchat made sure to iterate that it’s totally against the rules to use a third-party app (something they have zero control over).
Snapchatters were victimized by their use of third-party apps to send and receive snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.
So, remember, you’re actually a rule breaker and probably a bad person if you’re using third-party Snapchat applications. You’re risking your own security and the security of others. It’s you. Not Snapchat.
It’s also against Snapchat’s Terms of Service to unofficially access the Snapchat API.
It’s interesting how, with the right product, and the right “brands” on board first, Snapchat users who are by definition a group of people interested in sharing disappearing content feel that Our Stories is more of a feature than an advertising channel.
In any case, security must become a top priority for Snapchat. The service is by no means built with security in mind. But people still do use it to send confidential and sensitive materials, even if those are a silly selfie. It’s most certainly designed and marketed as a “safe” space. Here, the difference between safety and security is paramount.
Snapchat is based around living in the moment, and sharing real experiences with other users no matter how close or far away they are. It’s about having a digital identity that matches up to your real-life identity and the way you really communicate. After all, conversations in the real-world aren’t tracked or recorded.
The point is not to make users feel like they can send highly classified documents and files over a secure, encrypted channel. The point is that users need to feel safe.
If you want to read Snapchat’s full statement regarding the Snappening, you can check out the blog post or read the transcript below. It’s my hope that this won’t be the last we hear about Snapchat security and I also hope these guys will finally do the right thing.
Over the past few days we’ve fielded a number of questions about our API and third-party applications after a website that offered to save Snaps indicated that their database had been breached. We are grateful that the service provider acknowledged that Snapchat was never compromised, but we wanted to use this as an opportunity to reiterate the unfortunate threats these third-party applications can pose to our community.
A third-party application is any application that accesses the Snapchat API, but hasn’t been built and maintained by our company. Given the popularity of Snapchat and the size of our community, it’s no surprise that a cottage industry of app-makers has popped up to provide additional services to Snapchatters. Unfortunately, these applications often ask for Snapchat login credentials and use them to send or receive snaps and access account information.
When you give your login credentials to a third-party application, you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf.
It takes time and a lot of resources to build an open and trustworthy third-party application ecosystem. That’s why we haven’t provided a public API to developers and why we prohibit access to the private API we use to provide our service. Don’t get us wrong – we’re excited by the interest in developing for the Snapchat platform – but we’re going to take our time to get it right. Until then, that means any application that isn’t ours but claims to offer Snapchat services violates our Terms of Use and can’t be trusted.
Snapchat has always been a fun place to share Snaps with friends. The best way to keep our community safe is a combination of security countermeasures and common sense. We’ll continue to do our part by improving Snapchat’s security and calling on Apple and Google to take down third-party applications that access our API. You can help us out by avoiding the use of third-party applications.
Team Snapchat
Comment