Just came across this bit of ruby that can be used to decrypt Snapchat photos taken out of the cache on a phone, apparently adapted from here. To my surprise, it worked without a problem, considering the problems around Snapchat's security which have been well publicized lately (Mostly the stuff around the whole phone number/username leak as far as I recall).
require 'openssl'
ARGV.each do|a, index|
data = File.open(a, 'r:ASCII-8BIT').read
c = OpenSSL::Cipher.new('AES-128-ECB')
c.decrypt
c.key = 'M02cnQ51Ji97vwT4'
o = ''.force_encoding('ASCII-8BIT')
data.bytes.each_slice(16) { |s| o += c.update(s.map(&:chr).join) }
o += c.final
File.open('decyphered_' + a , 'w') { |f| f.write(o) }
end
So, my question is, what exactly are they doing wrong here, and what could they be doing better in order to improve the security of their application in this regard rather than what they're doing now, considering that people often send intimate things that were never meant to be shared for longer than 10 seconds only to one person, and also considering the popularity of this app?
tldr/for all those who don't really care to know how computers work but still want to know what is up: Basically, let's say you have 40 million people who use Snapchat, with 16.5 million users sending each other pictures, and each picture in its own tiny locked safe every day. Now, what if you gave those 16.5 million people all the same flimsy, plastic key to open each and every one of these lockboxes to capture the Snapchat media?
2,3036 gold badges22 silver badges30 bronze badges
asked Mar 3, 2014 at 8:53
4
This is a serious problem in password-management. The first problem here is the way they managed his key in their source code. SnapChat states that they send the photos encrypted over internet, and it is true after all, but they are using a "pre-shared" key to encrypt this data (badly using also AES in ECB mode) so, every user around the planet has the key to decipher each photo.
The problem here is, how did internet get the key? Piece of cake, they just included it in every app, and somebody just searched for it.
What is this magic encryption key used by any and all Snapchat app?
M02cnQ51Ji97vwT4
You can find this (in the Android app) in a constant string located
in com.snapchat.android.util.AESEncrypt; no digging required, it is
quite literally sitting around waiting to be found by anyone.On a more positive note (perhaps), in the 3.0.4 (18/08/2013) build
of the Android app, there is - oddly enough - a second key!1234567891123456
It is a very bad practice to hardcode a password in your source (no matter if it is in your headers or in your binaries), the main problem being anyone could find it with a simple "strings" command into your binary (or by looking in someplace you used to share your code with your friends):
strings binaryFile
Then the malicious user can have a look to each string and check if that is the password he is looking for. So, if your really need to hardcode a password in your code you better hide it, but this will just be "security through obscurity" and the malicious user will end up finding the key (so you better think in a different approach).
What can they do to improve their security? Well they could have generated a key for each photo, or they can pre-share a key between the clients that are going to share a picture, public/private keys; there are plenty of options.
22
Because this is a fundamental principle of information theory.
If a machine can decrypt a piece of information and keep it for ten seconds, it can decrypt it and keep it forever.
Any attempt to disguise this is simply smoke and mirrors.
49.6k8 gold badges133 silver badges161 bronze badges
answered Mar 3, 2014 at 11:26
5
The code is not "cracking" the encryption.
You are merely decrypting the data with the correct encryption key which was obtained by reverse engineering the application.
How could they do better? Not hard code the encryption key for one.
answered Mar 3, 2014 at 9:05
1
Because it's not supposed to be impenetrably secure. Snapchat is for sharing, which is antithetical to securing.
I think they have implemented what they consider to be "enough" security for their model. They aren't too concerned about photos lasting longer than a few seconds, because people can always copy them via the analog hole. This encryption prevents people from simply saving the files to show to their friends, so they have to do a bit of extra work. This simple step protects over 99% of their photographs well enough.
By design. I do not think the number of lines is relevant. Nor do I think the language is relevant.
The question simplified is "Why can anyone decrypt these". The answer - because that was the intent.
The background is that the encryption may only be lip-service, in the same way that encrypted .pdf's are often sent with four letter dictionary words as passwords.
There is security, but it is circumventable at some token level of effort. The layperson has no clue. We know better. (We know that in a post Snowden world we cannot be sure we can trust SSL protected websites.)
In short, it is a plastic padlock to satisfy the promise of encrypted transmission.
"So, my question is, what exactly are they doing wrong here"
That one is easy, they are promoting a false sense of security in people that are not familiar enough with the technology that they are willing to to trust sending information that would otherwise be considered private, to strangers...
That is the real flaw in the design.
Instead of making more convenient ways to do this, they should assisting in the raising of smarter generations, or just disclaimer the install so the self inflicted victims cannot cry foul.
There are solid, tried and true encryption and transmission methods for internet communications, and the end goal is that if you want security get security, if you want the chance of interception, redistribution, and poor coding practices, then download whatever is hottest on the app store this week...
Security is not convenient, it is generally not fun, and it is not simple. all the things that kill a fly by night app.
Personally I would be MUCH more concerned with the developer having access in mass quantities over individual attacks...
answered Mar 5, 2014 at 17:31
The problem with snapchat is that they are doing plain crypto while in fact they need DRM. The latter involves more topics than simply encrypting your data, you need for example hide your keys from your user. It looks that they failed on this one.
3
Bad practice combined with depreciated security standards have opened up this vulnerability. Especially given Snapchat's 'mission' of making the images, texts, etc. non-reproducible and only viewable once, a better approach would have been to randomly generate a PSK on every boot and use that for the duration that the app is running, rendering it's data useless upon every relaunch. And yes, as many others have said, hard coding a security key directly into an application's code is very, very bad practice and one that could be easily avoided.
Summarising, to easily resolve this issue:
Use a randomly generated string (and a better encryption algorithm, although this poor choice may be somewhat related to the lower processor requirements and the primary target audience [younger people] who are more likely to have dated smartphones) as SSL pre-shared key which cycles on every boot, rendering the cache useless upon app relaunch.
Very easy to resolve, really. Sounds like they could do with some consultancy around security best practices.
10.8k11 gold badges48 silver badges88 bronze badges
answered Mar 5, 2014 at 7:27
1
So, I called snapchat out to reply to this question I've asked in their support, and got this instead. So, after a bit more than a few days, here is Snapchat's official reply to a support request with me linking to this post, and asking if they could weigh in with an honest reply to this question themselves. I personally consider this pretty much the weakest reply I could have gotten next to nothing at all, and an indication of dysfunctional regard of security practices and not to mention public relations:
Team Snapchat replied:
Hi Dmitri,
Thank you for sharing your concerns. We remain committed to maintaining
the security and integrity of the Snapchat community.
Best,
Tobias
Thanks, snapchat!
You must log in to answer this question.
Explore related questions
See similar questions with these tags.