What just befell a “small” piece of SnapChat’s source code, and should users be concerned?
Things took a turn for the worse earlier this week when Twitter users got wind that the company had filed a takedown request under the Digital Millennium Copyright Act (DMCA) on 2 August 2018 in response to a portion of precious code being posted on GitHub.
Asking GitHub to remove commercially sensitive source code isn’t surprising in the least, although some claimed they detected a note of mild panic in the language used. In answer to the question identifying which copyrighted work had been infringed, Snap’s employee replied in full caps:
SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.
Given the situation, to most observers this will sound perfectly reasonable. The company followed up by confirming to Motherboard that a “small amount” of the source code for its iOS app had leaked in May during an update:
We discovered that some of this code had been posted online and it has been subsequently removed.
However, the company made two further claims that are open to question, the first being that the company was:
Able to identify the mistake and rectify it immediately.
This sounds reassuring and yet clearly someone managed to grab the code and post it to GitHub (not to mention the possibility that the code sat on GitHub for two months before this was noticed).
A second issue is the claim that the leak:
Did not compromise our application and had no impact on our community.
That might a bit complacent given Twitter posts suggesting the source code leaked beyond GitHub in the days before it was taken down.
Snapchat source code leaked? Apparently yes https://t.co/A58TZ28FEK (Snap Inc. DMCA request to GitHub)
— x0rz (@x0rz) August 7, 2018
Does anyone have a mirror of the (now deleted) repository? hxxps://github[.]com/i5xx/Source-SnapChat/ #snapchat #leaked
Even a small piece of source code floating around the public domain raises the chances of a vulnerability being found at some point.
A Twitter user claiming to be the individual who posted the code to GitHub later claimed he/she had tried to communicate with the company regarding the original leak, but no response was forthcoming.
https://twitter.com/i5aaaald/status/1025639490696691712
Given that Snapchat’s publisher, Snap Inc, runs a bug bounty program through the third-party HackerOne platform, this is a little surprising – or perhaps source code leaks don’t qualify for the bounty the leaker was angling for.
At least Snap can console itself that it’s not alone. Earlier this year, Apple found itself in a similar pickle after someone posted the source code for Apple’s iBoot bootloader to GitHub, which resulted in a similar DMCA takedown request.
In both cases, the user base has been left to wonder how it is that big, well-resourced companies keep inadvertently allowing their most valuable software assets to anyone with the wherewithal to capitalise on an old-fashioned mistake.
Jim Gersetich
An alternative was that it was an inside job.
David Pottage
I think it is a bit of a stretch to say that if the source code becomes public then snapchat becomes more vulnerable security wise. After all practically every server on the internet runs Linux, and the source for that has been public for decades. On the other hand there is plenty of closed source software out there (eg: Windows & Adobe Flash) where the source is not widely available but are a nightmare security wise.
IMHO, what relay makes a difference security wise is the development practices. If the code was developed from the outset with security in mind then a leak like this won’t make much difference, but if security was an afterthought then it will be bad anyway.
That is not to say that there won’t be other negative consequences for Snapchat, such as revealing secret businesses logic, or a lower share price.