How the App Learned Its Lessons
Section 1. Introduction
Snapchat is a popular mobile application that allows instant photo and video messaging. The feature that distinguishes Snapchat from Facebook Messenger, Viber, WhatsApp, and other messaging applications is the temporary nature of the recorded messages. The photos or videos of up to 10 seconds sent to Snapchat friends are automatically deleted after they are received and viewed. At least, that is what Snapchat developers claimed.
Due to its fun use, the popularity of Snapchat is growing at a rapid pace among the younger generation of app consumers. Almost half of Snapchat users (45%) are in the 18-24 age group. More than one-third of U.S. teens (16-19) and more than half of Irish youngsters have installed and use Snapchat for daily communication with their friends.
However, from the beginning of its development in 2011, the app has gone through major cybersecurity challenges. In the end of 2013, Gibson Security published and later updated Snapchat Security Disclosure that contained details of the security vulnerabilities in Snapchat’s architecture. The disclosure stressed that the indicated vulnerabilities could lead to a data breach.
A few months later, personal credentials of 4.6 million U.S. Snapchat users, such as usernames and phone numbers, were made public on the Internet. The responsibility for this incident was taken by the website SnapchatDB.info. This attack was claimed to be a response to the previously identified weaknesses in the app’s security.
Finally, in 2014, the U.S. Federal Trade Commission announced a suit against the app that included six complaints regarding Snapchat’s data security and privacy issues. The app was accused of misrepresenting its privacy policies and deceiving about its use of service, data collection, and security measures. In the end of 2014, the final order settling charges against Snapchat were approved. After the suit, Snapchat made an agreement with the Federal Trade Commission and took reasonable measures for improving app’s data security.
This article will discuss a list of Snapchat security vulnerabilities identified during the investigation conducted by the U.S. Federal Trade Commission (Section 2). Moreover, the article will examine security measures taken by Snapchat in order to promote consumers’ privacy and regain the trust within its user community (Section 3). Finally, a conclusion is drawn (Section 4).
Section 2. Top 5 Snapchat Security Vulnerabilities
2.1 Saving photo and video messages
Snapchat markets its service as an instant messaging application that sends self-deleting messages, the so-called Snaps. Such messages sent through the app should disappear forever after the time period set by a user expires. However, the Federal Trade Commission indicated that this claim was misleading because there were several techniques that allowed accessing photo or video messages indefinitely. For example, in order to save the received message, a user could use the browsing tool for accessing saved messages. Before October 2013, the files of video messages were stored outside the application’s storage area. This feature allowed the users to connect the mobile device to a computer and, after browsing in it, to access and save the video files. The information about this vulnerability became public in the end of 2012. It took almost a year for Snapchat to mitigate this security flaw. After becoming aware of the vulnerability, Snapchat began using encryption of video files that were sent through the app.
Another method for saving photo and video messages in Snapchat included connecting to API, the app’s application programming interface. By using this technique, the third-party developers were capable to log into the app remotely without using the original Snapchat application. In 2013, a number of third-party applications were developed in relation to API vulnerability. The apps that enabled downloading and saving received images were publicly available in app stores, such as iTunes App Store or Google Play. The Federal Trade Commission claims that, during that period, “on Google Play alone, ten of these applications have been downloaded as many as 1.7 million times.” Using the hacked API, one of the biggest cybercrimes related to Snapchat was committed. The operators of the website SnapSaved.com posted online 13 gigabytes of images stolen from Snapchat users, some of them of intimate nature. Eventually, alerted by this API vulnerability, Snapchat shut down the third-party application ecosystem in order to avoid similar information security breaches in the future.
The aforementioned message-saving techniques did not require sophisticated technical skills and allowed installation of the tools without modifying Android or iOS operating systems. Thus, such tools were easy accessible for a big number of users and made the data of Snapchat users insecure.
2.2 Gathering geolocation information
2.3 Deceptive collection of information in “Find Friends” function
In order to create a user network in the app, Snapchat offers to invite contacts with a function called “Find Friends.” Currently, Snapchat friends can be added in four ways, namely, (1) by username, (2) from user’s address book, (3) by Snapcode, or (4) by GPS signal, identifying Snapchat users that are located nearby.
2.4 Security problems in “Find Friends” function
The Federal Trade Commission has also pointed out that Snapchat failed to employ reasonable security measures to protect its users’ personal information. Several early Snapchat features were highlighted for allowing an unauthorized disclosure and misuse of users’ personal information. For example, in the beginning of the app’s functioning, individuals were not obliged to verify their telephone numbers during the process of registration. Thus, fraudulent users were able to create fictitious accounts by providing a phone number of other people throughout the registration. Numerous Snapchat customers were misled by such fraudulent incidents. The customer complaints submitted to the Federal Trade Commission contained cases when individuals sent photos and videos of personal or intimate nature to their friends. However, the Snapchat accounts associated with those numbers belonged to fraudulent Snapchat users. Thus, the personal information was unintentionally disclosed to unknown people. Moreover, numerous app users complained that their own phone numbers were affiliated with fictitious Snapchat accounts that sent inappropriate or insulting messages.
Addressing this issue, in the end of 2012, Snapchat started using a short-message-service for verifying user’s telephone number associated with a new Snapchat account. Currently, the app offers two options for verifying a new user during the process of registration, namely, sending a short message or calling to the provided phone number.
2.5 Phone freezing
Although the Federal Trade Commission did not address the flaw in Snapchat security architecture that enables the remote freezing of users’ mobile phones, this problem was widely reported in various media channels. A defect in the app’s authorization system allows hackers to use denial-of-service attacks that can crash users’ smartphones by sending a large number of messages in a short period of time. Receiving multiple messages at once causes freezing of the device and requires rebooting it. For Apple iPhone users, this security defect can cause more harm than for Android users. In Android operational system, such incident only slows down the work of the device but does not require the system to reboot. This technical issue has not been addressed by Snapchat yet.
Section 3. Security Measures Taken by Snapchat
In addition to the discussed measures for eliminating Snapchat security vulnerabilities, such as securing phone number verification and forbidding third-party apps to access users’ information, the company has taken supplementary security measures. In order to promote its fortified privacy and regain the trust within the Snapchat’s user community, the company initiated reporting about its transparency. Snapchat’s report, which is published every six months, indicates the governmental requests regarding users’ account information, removal of content, and copyright infringement. Moreover, the report provides information on how many of those requests were honored.
Besides, in order to identify any possible bugs in app’s architecture, Snapchat initiated a bug bounty program that encourages cybersecurity researchers to find and report any security vulnerabilities in Snapchat’s applications. The app developers are particularly interested in four categories of security bugs, namely, (1) Server-Side Remote Code Execution, (2) Significant Authentication Bypass, (3) Unrestricted File System Access, and (4) XSS or XSRF With Significant Security Impact. The cybersecurity researchers that report the aforementioned types of bugs are rewarded with up to $ 10,000.
Ethical Hacking Training – Resources (InfoSec)
Moreover, Snapchat started using an optional two-factor authentication that helps to secure users’ accounts. This measure is applied if a user would like to access the Snapchat account from another device. Such a login requires not only submitting an account password, but also using a code sent by a short message to a phone linked to the user’s account.
Section 4. Conclusion
Snapchat is an immensely popular instant messaging platform that allows its users to interact via chat and self-destructing video and photo messages. However, since its creation in 2011, the app developers have gone through a series of incidents related to Snapchat’s security vulnerabilities.
This article has discussed five major Snapchat security vulnerabilities as highlighted by the U.S. Federal Trade Commission and media channels. Although Snapchat faced security issues concerning saving video and photo messages, gathering geolocation information, deceptive collection of information, unsecure features, and phone freezing, its developers have successfully implemented the necessary security corrections and provided app users with additional security and transparency measures.
Thus, the security lessons learn by Snapchat could be a great source of inspiration for future application developers. Moreover, such incidents can help to rethink current privacy norms and raise security awareness among mobile app consumers.
Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.