A breach of a third-party Snapchat site that allows users to bypass the app's privacy has led to the leaking of some 200,000 images to the internet, The Guardian reports.
The leak seems to affect users who used a website called Snapsaved which bypassed the app's intended 'self-destruct' functionality of pictures and images sent via mobile. According to The Guardian, this "had allowed people to log in using their Snapchat username and password to offer desktop-based rather than handset-based access to the site - and also the chance to store photos, which are meant to be deleted within seconds of being viewed."
ZDNet reports the breach has resulted in 13GB of stolen photographs, but the creators of the app deny this was a breach of Snapchat's servers, pointing the finger of blame at third parties: "We can confirm that Snapchat's servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third party apps to send and receive Snaps, a practice we explicitly prohibit in our our terms of use precisely because they compromise our users' security."
The app has a reputation of being used by teens to send sexually explicit content, with The Huffington Post noting that "police and children's charities have previously warned teenagers of the dangers of using the app to send explicit images". With a sizable portion of the app's userbase between the age of 13 and 17, The Guardian observes that: "anyone downloading the files could be breaking child pornography laws if any of the pictures included unclothed pictures of children under 16 even if the child took them."
How the leak came about is still unclear. The Guardian reports that an anonymous post on Pastebin initially claimed that "the administrator of Snapsaved had provided one or more hackers with a way to browse the content of the site". However, this was quickly rebutted by a post on the site's Facebook page which dismissed the accusation: "I would like to inform the public that snapsaved.com was hacked, the dictionary index the poster is referring to was never publicly available. We had a misconfiguration in our Apache server."
According to ESET Distinguished Researcher Aryeh Gorestsky, quoted in USA Today, whether or not the incident turns out to be one of 4chan's elaborate hoaxes, this is a timely reminder that "app users need to practice restraint. It is important to keep in mind that while an initial product or service may be quite secure, plug-ins, add-ons, extensions and third-party offerings used with it may not be subject to the same high levels of security, reliability or confidentiality."
Although this particular breach does not seem to have come from Snapchat, it's not the first time SnapChat's website security has come into question. Back in January we reported on a leak of 4.6 million Snapchat users with phone numbers matched to usernames. And in May of this year, Snapchat, agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service (you can find more details on the FTC website). As part of that settlement order, Snapchat was required to create and maintain a comprehensive privacy program. Compliance with the order will be audited every two years for 20 years; see full terms of FTC privacy order (PDF).
360b / Shutterstock.com