One of upstart photo-sharing service Snapchat‘s biggest selling points is its supposed security—a picture disappears immediately upon being sent, you’re notified if your photo gets screencapped, nothing is public, etc. There have been privacy issues in the past: you could cheat by pressing the home button while you save an image, and you could download a sketchy app that saves photos without notifying your partner.
Now a security advisory posted online earlier this week by the Australia-based white-hat hacker group Gibson Security claims the fledgling social network is far from secure, noting that someone with the requisite know how could collect Snapchat users’ names, email addresses and phone numbers, view and then save someone’s unread messages, send denial of service attacks that could momentarily crippe a user’s device and even completely replace sent images.
The problem, charges Gibson, is in the API used by Snapchat. Basically, an API is the set of instructions that allows one computer program to use data created by another computer program. Taking advantage of what the group called the “find friends exploit,” the group explained that interested parties could gain access to information sent over Snapchat that most users would quite naturally assume is both private and completely secure.
“This vulnerability could hypothetically be used to stalk members of society, such as public figures or the data could even be sold to various firms, with the intent of using it and other data to connect online profiles to people in real life,” explained Gibson Security, which noted that one of its researchers applied for a software developer job at Snapchat offering to fix some of these security flaws, but never got a response.
In addition to noting that their exploration of Snapchat’s API led them to the conclusion that the firm is planning on rolling out native advertising as a first step toward sensitization sometime in the near future (unsurprising given the two-year old company’s recent $860 million valuation), Gibson Security charged that Snapchat’s method of protecting its messages was “possibly one of the least effective modes of encryption.”
Representatives at Snapchat did not immediately respond to request for comment.
“Snapchat [sic] are in a world where some (if not most) of their users are placing trust in the security behind the app,” charged Gibson Security, “they can’t fall short on securing their application.”
This round of criticism isn’t the first time that Snapchat has been slammed for its app’s security being considerably lower than advertised. Late last year, BuzzFeed revealed that Snapchat videos are saved in a device’s cache and, by plugging said device into a computer, users can permanently save unwatched videos to their hard drive.
On top of that, Utah-based Decipher Forensics claimed it has devised a method of recovering previously viewed Snapchat messages, supposedly lost and gone forever, because, according to the forensics experts who figuratively cracked Snapchat’s code, the app doesn’t actually delete pictures and video after being viewed—instead, it merely changes the file extension.
A forensics examiner with Decipher joked that “pictures taken through the basic camera on an Android phone were actually more difficult to trace than the Snapchat photos.”
“The people who most enjoy using Snapchat are those who embrace the spirit and intent of the service,” Snapchat CEO Evan Spiegel countered when Buzzfeed confronted him with the cache issue. “There will always be ways to reverse engineer technology products—but that spoils the fun!”