If you’re using a third-party Snapchat app, it’s time to delete it. Change the password to your Snapchat account while you’re at it. Discoveries revealed today point to the fact that multiple third-party Snapchat apps are sending copies of user credentials over non-secure connections to their own servers.
Will Strafach, of Sudo Security Group, discovered these apps harvesting Snapchat credentials while doing some app security research. Sudo Security Group are upcoming mobile app intelligence system, Verify.ly, scans through applications to discover whether or not they are respecting user privacy and using safe methods to transmit data over the Internet. Throughout his research, he was able to uncover a handful of applications that are currently transmitting Snapchat credentials over insecure connections.
The apps tested were on iOS, but that’s not to say that Android apps are immune, just that they weren’t included in the test.
The first offending app was Snapix. When a user enters their Snapchat login details into Snapix, the app transmits this data, in plain text, over a non-secure connection. Worse, it stores this data on its own server as well. There’s no legitimate reason a third-party app would need to store login information on its own server, but that’s not stopping Snapix.
Snapix may have been the most egregious offender, but it was by no means the only third-party Snapchat app with severe vulnerabilities. Two other applications, Quick Upload and SnapBox were also guilty of sending secure data in plaintext over an insecure connection.
Strafach only tested a few apps for these vulnerabilities, so this shouldn’t be interpreted as an exhaustive list. In fact, it’s generally better to avoid third-party applications that extend the functionality of social networks entirely as Snapchat itself warned in this blog post after a 2014 leak that saw thousands of videos and images leaked.
“When you give your login credentials to a third-party application,” Snapchat representatives said, “you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf.”
[via 9to5Mac]