Users of third-party Snapchat applications listed on the iOS App Store are being urged to change their passwords after a security researcher uncovered a number of popular apps were transmitting sensitive credentials over insecure connections to their own servers – leading to fears that user safety is now at risk.
The flaws were exposed by Will Strafach, a security researcher with Sudo Security Group, who found at least three Snapchat-related applications were developed in a way that falls well short of modern security standards.
The first application, called Snapix, was released on 22 February this year and lets users upload images saved on their smartphone directly to Snapchat – a feature not currently available on the legitimate service. Upon analysis, the researcher found that when a user enters their credentials the information is passed over an insecure connection to the developers own server before being redirected to Snapchat. This, Strafach told 9to5Mac, allows the app to 'harvest' the credentials while simultaneously logging the user into the app.
What's worse is that the data is sent over an unencrypted channel which means it could easily be intercepted if the linked device is connected to a public WiFi connection. Like many researchers have demonstrated in the past, this easily results in 'man-in-the-middle' (MitM) cyberattacks when on the internet networks of work, coffee shops or hotels. The Snapix vulnerability has since been reported to Apple.
Following the discovery of third-party weaknesses, Strafach decided to search for more security flaws in similar Snapchat-related applications freely available online. In a short search, he found two more apps called QuickUpload and Snapbox that also have weak security standards in place.
Strangely, both of these seemingly different services, by separate application developers, both send information to the same server: 'likepotion.topranksoft.com'. Additionally, SnapBox was also found to be sending precise GPS locations to the server.
While these applications are not affiliated with the legitimate Snapchat software, they have long been a security nightmare for the California-based firm. In 2014, a massive security incident dubbed 'The Snappening' had major implications for the company as tens of thousands of images and videos of users were compromised from a third-party app called SnapSave.
Following the third-party breach Snapchat released a statement that turned the focus on the inherent risks involved with unverified applications and promised "a complete shutdown of third-party apps."
"Given the popularity of Snapchat and the size of our community, it's no surprise that a cottage industry of app-makers has popped up to provide additional services to Snapchatters," the firm said at the time. "Unfortunately, these applications often ask for Snapchat login credentials and use them to send or receive snaps and access account information." It added: "When you give your login credentials to a third-party application, you're allowing a developer, and possibly a criminal, to access your account information and send information on your behalf."
While most recently, the firm was hit with a separate security situation after an unwitting employee fell victim to a phishing scam that resulted in the loss of a slew of sensitive payroll data.