3
2013
Snapchat and Poke Messages Not So Private
Honestly, I knew little about Snapchat and only recently had begun to research Poke. The idea of message “self destructing” after 10 seconds or so sounded interesting, and as most of you know privacy is kind of a big issue to me (and beginning to be for many on the internet). The only problem is, they may not be so private. First problem I thought of, and at least they had as well, was screen captures of the images. Apparently if you do this on Snapchat, they will notify the original sender. It doesn’t stop you from doing the screenshot, but whoever sent it at least knows you did it (but they can’t stop you). Second was cache, and apparently that is the big problem Buzzfeed found as well. The following is from an interesting article on Buzzfeed about how it can be done (so if you don’t want somebody doing it to you, I would recommend not sending this to them).
The entire allure of Snapchat is that a photo or video sent through the service completely disappears after a few seconds; it’s even quickly deleted off of the company’s servers. And its ephemeral nature means it’s great for sending silly and unflattering images or videos of yourself that you’d otherwise never send.Or sexting. On the heels of Snapchat’s popularity, Facebook recently introduced a “Poke” app that functions almost identically.
But it turns out there’s a straightforward way to save videos sent with either service, breaking part of their promise: Both Snapchat and Poke locally store copies of videos sent to users, which are easily accessible with a free iPhone file browser. Here’s how it works:
Receive a video in Snapchat or Poke. Don’t open it!
Just tap to load it. Again, don’t open it.
Plug your iPhone into your computer, and open up an iPhone file browser like
iFunBox.
Navigate to the Snapchat folder. Open up the folder called “tmp.” For Facebook’s Poke, videos are stored a little deeper in the app’s files, in library/caches/fbstore/mediacard. Copy the videos to your computer. Critically, Snapchat’s videos remain in this folder even after they’re viewed; Poke videos appear to be deleted as soon as they’re viewed. Photos don’t show up, at least not in any place we checked.
For Poke, there are a few more folders you have to open to get your videos:
Look at the all videos you’ve received, over and over and over again.
While screenshots of photos and videos can be taken in both Poke and Snapchat, the sender is alerted if the recipient takes one — but the sender has no such warning if their videos are copied.
When I asked Snapchat founder Evan Spiegel if Snapchat is aware of this exploit and plans on fixing it, he said, “The people who most enjoy using Snapchat are those who embrace the spirit and intent of the service. There will always be ways to reverse engineer technology products — but that spoils the fun!” [Ed. note: I’d point out that using a free iPhone file browser that doesn’t even require jailbreaking is hardly “reverse engineering.”] Snapchat recently patched a much more obvious exploit in Android that saved unwatched videos in the phone’s gallery application. Facebook has not responded to a request for comment as of publication time.
Of course, the average user of Snapchat or Poke isn’t going to use this method to save videos. However, users should be aware that their data on services like Snapchat and Poke isn’t as private as they think it might be. And a few motivated users will certainly take advantage of the loophole that’ll let them save the kind of videos that were never intended to last more than a few seconds.
Update: Facebook tells BuzzFeed FWD: “Thanks for reaching out, and we are addressing this issue now. We should have a fix pushed shortly.
Keep in mind, not only does Snapchat have similar issues but also, similar to screenshots, for the time being cached video files can be captured while using Poke before the receiver views the file.”
The company also provided this statement:
Poke is a fun and easy way to communicate with your friends and is not designed to be a secure messaging system. While Pokes disappear after they are read, there are still ways that people can potentially save them. For example, you could take a screenshot of a photo, in which case the sender is notified. People could also take a photo of a photo you sent them, or a video of a video, with another camera. Because of this, people should think about what they are sending and share responsibly.