It’s possible that you hadn’t heard about Snapchat a couple of weeks ago. But it’s most likely that you’ve heard about the Snapchat hack the last week or so. This breaking news has been all over the place, and a search on this term on Google will at present give more than 1 million hits.

I won’t repeat the news, and you (should) know that hackers stole 4.6 million usernames and phone numbers – and made it available for download at a site called SnapchatDB.info (but mercifully spared the last two digits of the phone numbers). All right, if you didn’t know about it – here’s a news article from TechCrunch on December 26th breaking this news.

Instead I’ll have a look at what’s happening after this breaking news has disappeared from the headlines. That’s what’s interesting now, at least for the security community and people concerned about cyber security.

What is Snapchat?

Let’s quote Wikipedia on this:

“Snapchat is a photo messaging application (“app”) developed by Evan Spiegel and Robert Murphy, then Stanford University students. Using the app, users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients. These sent photographs and videos are known as “Snaps”. Users set a time limit for how long recipients can view their Snaps (as of December 2013, the range is from 1 to 10 seconds), after which they will be hidden from the recipient’s device and deleted from Snapchat’s servers.”

Yes, you read it right: The messages disappear after 10 seconds at most. Strange? Someone out there who want this stuff? Well, some young people like it. According to a blog post at All Things D, these kids sent more that 400 million messages every day last November. Yes, 400 million.

And it was reported that the app’s core audience is the age group from 13 to 25 years old, with 70 percent of those being women. About 25 percent of smartphone users in the United Kingdom use Snapchat monthly, and 50 percent of Norway smartphone owners actively used the app.

In any case, the numbers are huge – that’s why Snapchat attracts hackers. The same problem as other global services are dealing with every day.

What’s the Snapchat problem?

In August last year the Australian-based white-hat hacker group Gibson Security alerted Snapchat about two exploits that could allow (black-hat) hackers to access the username and phone number of millions of Snapchat users. You can read their “Snapchat Security Advisory” here.

According to a blog post on The Daily Dot, the problem is as follows:

“The problem, charges Gibson, is in the API used by Snapchat. Basically, an API is the set of instructions that allows one computer program to use data created by another computer program. Taking advantage of what the group called the “find friends exploit,” the group explained that interested parties could gain access to information sent over Snapchat that most users would quite naturally assume is both private and completely secure.”

But Snapchat failed to take action after this warning, and Gibson Security published what it claimed was Snapchat’s API and revealed the two security exploits mentioned in their security advisory in August. You’ll find the full disclosure published here on Christmas Eve with the following foreword:

“Given that it’s been around four months since our last Snapchat release, we figured we’d do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them). Seeing that nothing had been really been improved upon (although, stories are using AES/CBC rather than AES/ECB, which is a start), we decided that it was in everyone’s best interests for us to post a full disclosure of everything we’ve found in our past months of hacking the gibson.”

Got it? Let’s move on.

What’s coming up after the Snapchat hack?

The interesting part is what’s coming up after the breaking news is gone. There is an interesting debate coming up now on different issues with focus on better data security and how to learn from this hack. Snapchat is no longer the issue, they don’t seem eager to fix their problems or give any apology according to an article by Abc News. So forget about them.

Here are some headlines posted the last days:

Clearly, this hack will lead to more focus on data security, something The Wall Street Journal also said yesterday in an article called “Wanted: More Vigilance on Data Security” based on this hack.

Is encryption important?

One of the shortcomings of the Snapchat API, disclosed by Gibson Security in their security advisory mentioned above, is the bad implementation of encryption. Among other things they wrote:

“Snaps are encrypted using symmetric-key encryption! The key is the same in both the Android and iOS app, and it’s just sitting around in the app waiting for someone to find it.”

I don’t know much about Snapchat’s code or security other than what Gibson Security has disclosed. But I know a lot about how to encrypt sensitive information you want to store and share on the Internet using Dropbox due to my own product Ensafer for encrypting Dropbox and other services on the Internet.

I know that it’s very difficult to design a good security model, and it’s hugely time-consuming to implement it in the best possible way. So Snapchat has to work really hard to improve their security. And even worse: To get back the confidence from their users.

BTW: If you have a username on Snapchat, and nervous for it being hacked, you can check it here.

Click here if you want to read other blog posts of mine about IT security.

This post can also be found here on the Ensafer blog.