A Whole New Level Of Breach

With the Snapchat and Dropbox breaches this week, the attack surface just got raised a notch.

In case you are not familiar with these two breaches, I will describe them at a high level what happened.

With Snapchat, users assume that their pictures will disappear quickly on the other end after they are opened.  However, if the other person violates the terms of service and adds an app like snapsaved to their phone, they can save, forever, that chat.  In this case, not only can that happen, but the app saves your chats to their web site and that website got hacked – along with a whole bunch of child porn (the demographic of users for snapchat is 13 to 18 year olds and they seem to like to share naked selfies a lot).

The Dropbox breach is similar. The details are not all available yet, but it seems that, again, it was a helper app that was breached.  In this case, there was no violation of the terms of service, but millions of userids and passwords were apparently stolen.

The dropbox case is a little different than the snapchat case in that with dropbox, you elected to install the helper app, so you cannot say that you did not know what was happening.  In the snapchat case, you didn’t do anything to contribute to the breach and were likely unaware that the other person had that extra app installed.

What this means is that you as a user of online services have to not only vet the service that you want to use but also need to vet any related apps that you are using.  It also means that if there are other people sharing your information (like nekkid selfies in the case of snapchat), that you need to make sure that the other person is not doing something wrong.

Of course, in a sense, this is no different than what we have always had to do.  If you are sharing information with someone, you need to validate that the information will remain secure – to your level of comfort – on both ends.

In the situation where you are dealing with a regulated entity (like a bank or healthcare provider), you also have to keep the regulators happy.  They may start asking a new set of questions as a result of this breach.

In the case of the snapchat breach, you may just want to reconsider what you send to your friends.

Mitch Tanenbaum