Snapchat breach exposes flawed premise, security challenge
The prospect of tens of thousands of potentially racy Snapchat photos hitting the internet has driven home a simple fact: the mobile app's core feature - delivering photos and videos that vanish seconds after viewing - is flawed.apps Updated: Oct 15, 2014 13:28 IST
The prospect of tens of thousands of potentially racy Snapchat photos hitting the internet has driven home a simple fact: the mobile app's core feature - delivering photos and videos that vanish seconds after viewing - is flawed.
The negative publicity surrounding that speculation has spurred criticism about its lax security. But whether this will affect the valuation of the 3-year-old Silicon Valley start-up as it seeks another round of funding remains to be seen.
A range of venture capitalists and tech insiders say they believe it will not, for now. One person close to the company's fundraising efforts who asked not to be named said Snapchat is still expecting a $10 billion valuation in the current funding round, one of the startup industry's richest and the same level being
considered by investors before news of the breach surfaced last week.
"Once a company is hot, investors will be keen to continue investing unless the issue seems to be life-threatening," said Anand Sanwal, chief executive of venture capital consultancy CB Insights.
The brouhaha has not yet hurt the popularity of Snapchat among teenagers, partly because no mass publication of leaked photos has materialized. The messaging service remained among the five most-downloaded photo and video apps over the weekend, according to analytics service App Annie.
The issue arose last week when hacker forums claimed unknown parties had created a file holding at least 100,000 stolen Snapchat photos, including many of minors, that could end up being posted online. The anticipated event, dubbed "the snappening," was widely reported, including by Reuters.
While Snapchat said its servers were not breached, it confirmed that rogue third-party apps have been storing its users' pictures. That points to a longer-term challenge for the Los Angeles company: its inability to fully block the external parties it blames for undermining its business.
Even before any talk of "the snappening," security experts were faulting Snapchat for what they call a cavalier approach toward privacy, which may have given users a false sense of comfort.
The third-party apps, which allow users to enter their Snapchat password and log-in information, connect to the main service and provide unauthorized features such as image-saving.
Such software can be pernicious since the people whose pictures are stored are often unaware of the privacy breach by the downloaders of the third-party apps.
Snapchat does not allow other apps to interact with its service, but many developers manage to break the rules. The company says it monitors for such "illegal" apps
and has succeeded in removing some culprits from Google and Apple app stores.
One website, Snapsaved.com, claimed on Monday on its Facebook page that its servers had been hacked and that intruders had accessed its trove of Snapshot photos.
But Snapchat should have been able to detect multiple requests for information originating from external services, or to detect when users were alternately logging on from different apps, cybersecurity experts said.
In addition, Snapchat used very elementary encryption to protect photos and videos on its service, said Chris Wysopal, chief technology officer of Veracode, a firm specializing in testing apps for security vulnerabilities.
Instead of requiring two separate cryptographic keys to access images transmitted across Snapchat, the service relied on a single universal key that unlocked everything, "the bare minimum," he said.
"Someone who knew what they were doing, probably in a few hours could reverse-engineer it, find the key and write a program to decrypt the photos as they go over the network."
In May, Snapchat settled charges with U.S. regulators accusing it of deceiving customers by promising that photos on its service disappeared forever. The US Federal Trade Commission also faulted Snapchat for storing unencrypted videos on users' phones, which could be accessed by connecting the device to a personal computer.
Still, even the best security measures could leave Snapchat playing an unwinnable cat-and-mouse game with hackers.
At a very basic level, Snapchat cannot stop anyone from taking a photo of a photo. Anyone who receives a Snapchat image on the phone can use another camera to capture the screen picture, said Michael Coates, director of product security at Shape Security.
Still, Snapchat may have little to worry in the near term, at least on the valuation front, industry insiders say.
David Cowan, a partner at Bessemer Venture Partners, which has not invested in Snapchat but has backed other consumer startups like dating service Zoosk and online bulletin board Pinterest, said Snapchat has little to worry about.
"These types of breaches will definitely stop people from using Snapchat," Cowan said, "until they have a really cool picture to share."