Following the recent incident in which hundreds of thousands of photos were leaked online, the developers of photo messaging application Snapchat have decided to take steps to protect users against risky third-party applications.
The content sent by Snapchat users is visible only for a few seconds, but there are several third-party applications designed to save the “Snapchats.” The large number of photos leaked in October came from one such service, Snapsaved.
Snapsaved said hackers exploited a misconfiguration in their Apache server and downloaded a total of 500Mb of photos mostly belonging to users in the United States, Sweden and Norway. The site’s operators deleted the entire database shortly after the breach, which has been referred to as “The Snappening.”
To prevent such incidents from occurring in the future and to protect customers against services that trick them and compromise their accounts, Snapchat has started actively warning Snapchatters when the use of a third party app is detected.
While most customers will not see any difference, those who use third party apps will be advised to change their passwords and stop using unauthorized applications.
The company also called on Apple and Google to remove third-party iOS and Android applications that access the Snapchat API from their app stores.
“A third-party application is any application that accesses the Snapchat API, but hasn’t been built and maintained by our company. Given the popularity of Snapchat and the size of our community, it’s no surprise that a cottage industry of app-makers has popped up to provide additional services to Snapchatters,” Snapchat said in a blog post last month. “Unfortunately, these applications often ask for Snapchat login credentials and use them to send or receive snaps and access account information.”
Snapchat says it likes what some developers have done to make the service better. However, the company believes it takes time and a lot of resources to build a trustworthy third-party app ecosystem, which is why it hasn’t released a public API and prohibits use of its private API.
“[Any] application that isn’t ours but claims to offer Snapchat services violates our Terms of Use and can’t be trusted,” Snapchat said.
While the latest incident doesn’t involve a breach of Snapchat’s systems, there have been cases where the service was directly targeted by hackers. In late December 2013, the usernames and associated phone numbers of 4.6 million Snapchat users were published online by hackers who had leveraged an attack method disclosed by researchers just days earlier.