Posted by Kalyani M. on Sep 10, 2013
Most smartphone users and shutterbugs are familiar with the “private” photo app snapchat. The app allows users to send each other instant snapshots that are timed and supposedly deleted forever once opened by the intended recipient. Unfortunately, recent news shows that the mobile application can be easily hacked and that “deleted” photos are actually recoverable. This should worry both Snapchat users and parents of smartphone-savvy teens as sensitive photos and personal information could be hacked and used for exploitation and blackmail. Instead of using unsafe applications, users with sensitive photos and personal information should exclusively upload to a secure cloud that offers user privacy.
According to a study conducted by Gibson Security, Snapchat has a large number of glaring security gaps. The popular photo-sharing app only uses two encryption keys for all users, which are kept by the company, meaning that they must be released to the government in the case of a subpoena. According to the Gibson advisory, “Internet trolls and stalkers could use this [personal] information to harass people in real life, unmasking the anonymity and privacy Snapchat provides. The scariest part for us is the possibility of a company utilizing this exploit on a massive scale, only to sell a database of Snapchat names, phone numbers and locations to a third party. With little work, a malicious party could steal large amounts of data and sell it on a private market, and that’s highly illegal.”
To the dismay of privacy advocates and phone photographers, Snapchat still hasn’t addressed these security concerns. As the security firm told ZDNet, “Snapchat aren’t exactly easy to get hold of,” claiming, “With a couple lines of Python, someone could view all your unread messages, and depending on the situation, modify and even replace the images completely.” The potential for blackmail and harassment is high, which makes consumers question why it is that Snapchat won’t put in the extra effort to keep their privacy safe. The Gibson study goes on further to claim that “Snapchat [uses] a fairly simple (yet strangely implemented) protocol on top of HTTP. We won’t reveal anything about the protocol, only what is needed for these problems, but the rest is easily figured out. We are privacy conscious, being users of the service ourselves.”
Gibson Security isn’t the only company to find problems with Snapchat’s lack of security. Richard Hickman of Decipher Forensics showed a television reporter that his firm had restored allegedly deleted photos hosted by the app. The only response that Snapchat has given at this time is a blog post claiming “if you’ve ever tried to recover lost data after accidentally deleting a drive or maybe watched an episode of CSI, you might know that with the right forensic tools, it’s sometimes possible to retrieve data after it has been deleted.” But this is just false. With strong encryption, user-hosted keys, and the promise to delete photos from servers, the application could offer much better protections from the threat of hacking and recovered photos. Hickman claims, “The actual app is even saving the picture. They claim that it’s deleted, and it’s not even deleted. It’s actually saved on the phone.” Some, like Orem Police Lieutenant Craig Martinez, caution again using the app altogether. The officer recently advised, “Be careful what you do on your cell phone, what you put on your cell phone. Because once it’s there, chances are it’s going to be there for a really long time, even if you can’t see it.”
For parents and people that still want to use Snapchat, the company has offered a simple guide, which has been recently posted to Forbes:
While these precautions can be good first steps, it still doesn’t change the fact that the company does little to keep your identity and private photos safe.
Securing Photos Through SpiderOak
For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave photos and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides colleges with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.