More security flaws found in Snapchat, Poke

The privacy woes of the so-called “safe” self-destructing messaging apps just don’t seem to end. It now seems that Snapchat had so far inadvertently exposed its users’ email addresses till last week.

The Sydney Morning Herald reported that while the bug was still active, it put users’ anonymity at risk. Many users have usernames completely unrelated to their identity, but some have used their own email ids to sign up for the service, putting them at risk.

It is also possible to view who a user has been chatting with on Snapchat using a browser. One needs to simply type in the username after the Snapchat URL and a slash to view who the user has been interacting with most.

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

Not so safe after all?

The Herald explained that it was easy to discover a user’s e-mail address simply by using the app. A person with malicious intent merely needs to enter a username without a password and try to log in to make the app prompt him or her for a password reset. The user’s e-mail id then pops up on the screen, putting the user’s privacy at risk.

A report in the Business Insider too reported that the recently launched Facebook ‘Poke’ app too was not foolproof when it comes to safely sending private messages and images to friends. According to the report, the images merely disappear from the app but can be retrieved up to 90 days later.

Poke, like competitor Snapchat, deletes images and messages within seconds of receivers reading the messages. Here’s how Facebook describes the app, “With the Poke app, you can poke or send a message, photo, or video to Facebook friends to share what you’re up to in a lightweight way. You can poke an individual friend or several at once. Each message expires after a specific time you’ve set, either 1, 3, 5 or 10 seconds. When time runs out, the message disappears from the app.”

The report cited the source as saying that while the images were deleted completely from the app, they could still be retrieved. “All Poke messages are stored in encrypted form and retained for two days after the last recipient receives the poke—a process that helps facilitate abuse reporting. After that period, a Poke’s encryption key is deleted. However, it may still be possible for Facebook to recover that key from logs or backups. After a fixed time period, this key becomes inaccessible, rendering the content completely unreadable, unless it was copied for abuse reporting. Today, that fixed period can be up to 90 days, but we are working to significantly reduce that period over the next several weeks as we verify the stability of the Poke deletion system,” said the source.

Last week, it came to light that messages received by both Poke and Snapchat could be saved using a folder browser connected to a computer. Another easier way to save images from chats is to take a screenshot, but both the apps notify the sender when you do that.

A spokesperson from Facebook and Snapchat founder Evan Spiegel agreed that their apps were not intended to be a secure messaging system and was supposed to be a fun way to communicate with friends.