Sophos News

Snapchat source code leaked on GitHub – but no one knows why

What just befell a “small” piece of SnapChat’s source code, and should users be concerned?
Things took a turn for the worse earlier this week when Twitter users got wind that the company had filed a takedown request under the Digital Millennium Copyright Act (DMCA) on 2 August 2018 in response to a portion of precious code being posted on GitHub.
Asking GitHub to remove commercially sensitive source code isn’t surprising in the least, although some claimed they detected a note of mild panic in the language used. In answer to the question identifying which copyrighted work had been infringed, Snap’s employee replied in full caps:

SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.

Given the situation, to most observers this will sound perfectly reasonable. The company followed up by confirming to Motherboard that a “small amount” of the source code for its iOS app had leaked in May during an update:

We discovered that some of this code had been posted online and it has been subsequently removed.

However, the company made two further claims that are open to question, the first being that the company was:

Able to identify the mistake and rectify it immediately.

This sounds reassuring and yet clearly someone managed to grab the code and post it to GitHub (not to mention the possibility that the code sat on GitHub for two months before this was noticed).
A second issue is the claim that the leak:

Did not compromise our application and had no impact on our community.


That might a bit complacent given Twitter posts suggesting the source code leaked beyond GitHub in the days before it was taken down.

Even a small piece of source code floating around the public domain raises the chances of a vulnerability being found at some point.
A Twitter user claiming to be the individual who posted the code to GitHub later claimed he/she had tried to communicate with the company regarding the original leak, but no response was forthcoming.

Given that Snapchat’s publisher, Snap Inc, runs a bug bounty program through the third-party HackerOne platform, this is a little surprising – or perhaps source code leaks don’t qualify for the bounty the leaker was angling for.
At least Snap can console itself that it’s not alone. Earlier this year, Apple found itself in a similar pickle after someone posted the source code for Apple’s iBoot bootloader to GitHub, which resulted in a similar DMCA takedown request.
In both cases, the user base has been left to wonder how it is that big, well-resourced companies keep inadvertently allowing their most valuable software assets to anyone with the wherewithal to capitalise on an old-fashioned mistake.