By now we have all heard about “The Snappening”—hyped as a high-profile data breach involving the photo-sharing application Snapchat. Virtually every news outlet on the web is writing about it. Some publications were quick to blast Snapchat based upon rumor and speculation, much of which has turned out to be inaccurate like the fallacious early claims of child pornography. The vague, inconsistent, and unconfirmable information surrounding the Snappening caught our interest. We decided to dig in and see if we could shed light on this confusing, media-hyped event. We discovered this is not much different from the threats that all major brand presences face online, today.
One of the primary things we do at RiskIQ is scan, catalogue and analyze applications in mobile application stores and across the web at large, looking for rogue and/or malicious apps targeting a company’s brand and its users. Because of this we have a unique perspective on the facts that clarify the scope of this event. But first, a quick recap of the Snappening:
What do we know about the Snappening?
- A blogger named Kenny Withers went public with information regarding the breach of up to 200,000 private Snapchats.
- Next followed about as many gigs of news speculation as the amount of Snapchat data rumors claimed was leaked.
- Snapchat confirmed that their servers were never breached.
- During this speculation, the website Snapsaved.com (an unauthorized, rogue third-party “Snapchat” application) disclosed that they were compromised due to a simple Apache misconfiguration, lost 500mb of photos and shut down the service.
- Snapchat publishes more details about the risk of third-party, rogue applications that use its API in an unauthorized manner.
A rogue, unauthorized, third-party “Snapchat” application called Snapsaved.com used Snapchat’s API in violation of Snapchat’s ToU, stored copies of users’ photos, was compromised and had said photos stolen from its website. The rest of the stories appear to be rumor, speculation, and hype.
Now let’s step back from the hyperbole for a moment and ask:
- What are the real problems that major brands, including every social media platform like Snapchat, are facing?
- What are the lessons we should be learning here?
The real problems
1. Rogue and copycat web and mobile applications are multiplying at a prodigious rate on the Internet and are created by folks who want to target the unwitting users of legitimate brands for various purposes, including monetary gain and malicious intent.
2. Rogue web and mobile applications are hard to police and prevent. Without the proper tools, it’s very time-consuming and resource-intensive for security teams to find, monitor and remove these applications from mobile stores and the Internet at large.
3. These applications exist outside of companies’ firewalls, IDs and perimeter security devices—essentially outside of the scope and reach of traditional security controls.
4. Users of these illegitimate applications have no way of knowing what these third-party applications are actually doing with their user information and private data.
The proliferation of rogue applications designed to impersonate the legitimate functionality of apps produced by major brands like Snapchat is a growing trend. The goal of the developers of these apps is to exploit the user’s implicit trust in a brand, often turning legitimate users into unwilling victims. The scale of this problem today is so large that it is almost impossible for an organization like Snapchat to police and manage these new threats to its user communities.
The threat for Snapchat users is that even if they’ve made sure they’re using Snapchat’s official mobile application, they can’t be certain of where those snaps may end up. One or more of the individuals they’re sending snaps too could be using rogue applications that might save/store their photos or send them off to a third-party website without the permission and knowledge of either party.
Lessons we should learn from this
1. The problem of roque and copycat applications that target organizations’ users with dangerous features and malicious intent is real and growing rapidly.
2. Web APIs in the world of modern web and mobile applications are hard to secure, especially for growing startups trying to increase their user base.
3. Security professionals need better tools to measure and manage these problems.
4. Users need better management tools, especially for their mobile devices, to help them understand the risk that third-party, unauthorized-apps present.
There is a whole ecosystem of web and mobile applications built around impersonating major brands like Snapchat, and leveraging the trust of the user base for commercial and/or malicious gain.
This situation is not unique to Snapchat. All social media platforms, online retailers, auction sites and even banking sites are facing this exact challenge. This is the new norm for online brands. Snapchat is simply the newest highly visible target of this rogue app threat ecosystem.
To better understand how large and daunting the challenge Snapchat is facing, we performed some preliminary analysis on 70+ mobile app stores to provide a general scope of the problem. Analyzing only the mobile threat ecosystem, we discovered the following:
- Over 687 mobile applications use Snapchat’s name in their title. Included in this sample are those using the words “snap” in the title and that have the word “snapchat” appearing at least once in the application description. This was in order to most closely approximate what a user would see when searching for Snapchat and Snapchat alternatives in each store.
- Apps from this sample are present in 46 separate mobile app stores around the world. Of those, over 75% exist outside of the Google Play and the Apple App Store.
- 16 apps are hosted in the Google Play Store.
- 147 apps are hosted in the Apple iTunes Store.
- Some of the alternative mobile application stores hosting Snapchat branded apps were those belonging to recognizable brands, including Amazon, Samsung and Windows. However, other lesser well known stores appeared in our sample as well, such as MPlayIT and AppTap as well as internationally hosted stores like AppChina, Wandoujia, AndroidPit and AppsZoom.
- Of the entire sample of 687, only a few dozen link back to Snapchat’s domain, making it more difficult for Snapchat to recognize/track most of them.
- These third-party apps have been downloaded tens of thousands of times by users all over the world.
- We found over 100 rogue Snapchat applications had been removed from mobile app stores since 2012. This indicates that someone at Snapchat is doing something about this problem, which is a good thing.
It is important to note that RiskIQ has not analyzed these applications yet for malware or dangerous functions. It is likely that many—if not most—of these unauthorized applications are not intentionally malicious. Many of these are likely simple copycat apps that use Snapchat’s name and logo with descriptions along the lines of “Like Snapchat? Use SnapSomething!” with the harmless intention of generating ad revenue for the author.
However, as we learned with Snapsaved.com, “harmless” applications with dangerous functions can quickly be subverted to produce malicious results. Regardless of the social media platform, users should be wary of third-party applications. Caveat emptor, indeed.
Cyber thieves, fraudsters and black hat hackers will continue to search for ways to utilize both mobile and web resources to impersonate brands and target user bases as long as they can successfully pilfer valuable data as a result. Any organization collecting user data via these online digital assets is putting its user base at risk to this nascent threat. Snapchat is just one one of many highly visible brands that’s being targeted. By shedding light on this previously hidden threat landscape, the hope is that all brands can begin to take steps toward understanding and addressing the unique threats their users or customers may be exposed to in this area.