AP/Jae C. Hong
The Guardian reports that third-party Snapchat client Snapsaved posted an update on its Facebook Page that explained how the photographs surfaced online. Snapsaved is a web site that lets users save photos from Snapchat, which normally deletes them automatically after each message.
In the Facebook post, Snapsaved claim that a misconfiguration in its Apache server caused the site's database of saved Snapchat photos and videos to become vulnerable to hackers. This meant that hackers were able to access the trove of nearly 100,000 files and post them online at another site.
A post on anonymous note site Pastebin had accused the administrators of Snapsaved of intentionally providing hackers with access to the site's store of saved images. In the new Facebook post, Snapsaved denies this claim.
Snapsaved goes on to deny that usernames were leaked along with the images, which means that rumors of a searchable database of the images are likely false. Posters on 4chan had claimed that the usernames of the teenagers shown in the explicit photographs were leaked along with the images themselves. They claimed that a database was being built that would allow people to search the archive of stolen photographs by username.
Here are 4chan users discussing the rumored database:
4chan
Snapsaved claims that it took the site offline as soon as it realized that it had been hacked. Users appear to have believed that Snapsaved let them save their Snapchat photos on their own devices; they didn't know that the pictures were also being saved on servers owned by Snapsaved. There is no evidence that Snapsaved had attempted to alert users of the site that their saved Snapchat photos and videos had leaked. Instead, the snapsaved.com URL was changed to redirect to a shopping website.
The Facebook post also confirms that the majority of Snapsaved users were either Swedish, Norwegian or American. Snapsaved goes on to claim that it previously reported users to Swedish and Norwegian authorities, signaling that whoever runs the site had been viewing the private images sent through it.
The Snapsaved hack has raised serious concerns over the security of Snapchat's API. Over half of the app's users are aged between 13 and 17, but it's trivially easy for developers to reverse-engineer the app's API to create a third-party app or website that saves photos and videos that are intended to be deleted upon receipt.
It had previously been feared that hackers created Snapsaved with the sole purpose of intercepting explicit photos and videos of children. Snapsaved's statement seems to dispel this theory, instead increasing concern over the security of Snapchat's support for external developers.
In a statement released following the Snapsaved hack, Snapchat blamed its users for downloading and using third-party apps to save Snapchats. They cautioned against the use of any Snapchat apps that aren't developed by the company, warning that these sites are prohibited by the company's terms of use.
Here's the full Facebook post from the Snapsaved developer:
I would like to elaborate on the recent events regarding Snapsaved.com.
Snapsaved.com was a website used to save SnapChat's, precisely as the app snapsave.
In response to recent media events and the statement made by http://pastebin.com/cJcTbNz8, I would like to inform the public that snapsaved.com was hacked, the dictionary index the poster is referring to, was never publicly available. We had a misconfiguration in our Apache server.
SnapChat has not been hacked, and these images do not originate from their database.
Snapsaved has always tried to fight child pornography, we have even gone as far, as to reporting some of our users to the Swedish and Norwegian authorities.
As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has effected 500MB of images, and 0 personal information from the database.
The recent rumors about the snappening are a hoax. The hacker does not have sufficient information to live up to his claims of creating a searchable database.
Our users had to consent to all the content they received via SnapSaved.com, as we mentioned, we tried to cleanse the database of inappropriate images as often as possible. The majority of our users are Swedish, Norwegian and American. I sincerely apologize on the behalf of snapsaved.com we never wished for this to happen. We did not wish to cause SnapChat or their users any harm, we only wished to provide a unique service.