
Snapchat Source Code GitHub Leak Caused by Bad iOS Update - koin0r
https://sensorstechforum.com/snapchat-source-code-leak-github/
======
mnx
This article is not very information rich, but one thing is clear: this is not
a github leak, the code was just posted to github by whoever got access to it.
So the headline is pretty misleading.

~~~
icedchai
Okay. So the code was "leaked" _on_ Github. How is the headline misleading?

~~~
torstenvl
The headline is misleading because it implies the source code was already on
GitHub.

If the source was not already on GitHub, then a "GitHub Leak" of that source
could not possibly be _caused_ by a software error.

~~~
icedchai
It doesn't imply that to me.

~~~
_r_o_y_
Just by reading the title my first though was somehow a iOS update caused a
bug in GitHub that led to the source code leaking.

~~~
asdkhadsj
I figured the iOS bug somehow leaked credentials that gave access to GitHub.

Regardless, many of us agree that the title suggests GitHub as a central role
to the leak. If, as other commenters say, it was just used as a file host.. it
doesn't belong in the title imo. It's just there to pull in more views. It may
as well been Piratebay.

------
p410n3
The DMCA request reads like its written by a 14 year old. ALL CAPS. LEAKED
SOURCE: TAKE DOWN PLOX

~~~
neuralk
Exactly what I was wondering about -- couldnt illegitimate DMCA requests be an
attack vector to shut down a public GitHub repo temporarily? There wasn't much
to the quoted DMCA request.

Edit: I'm guessing there's enough in the redacted part of the notice to prove
SC's identity. But I think the question of DMCA abuse remains.

~~~
threesquared
This happened to the SickRage project a while ago when a developer was not
happy about the project being forked. The repositories were down for some
time.

[https://www.reddit.com/r/sickrage/comments/6oep02/false_dmca...](https://www.reddit.com/r/sickrage/comments/6oep02/false_dmca_request_has_taken_our_repos_down/)

~~~
jenscow
So, a developer of software geared towards piracy issues DMCA against OSS.
_face palm_

------
mediocrejoker
No explanation on _how_ a bad iOS update leaked source code? Can't imagine
Apple is too happy to be blamed for this with no details.

~~~
cnowacek
I'm guessing that somehow a chunk of their source code got marked as "copy to
the bundle" from within the project's build phase. One scenario I could think
of this happening is a bug in a custom build script that was intended to copy
other resources (images, sounds, etc.) to the bundle and copied an unintended
directory containing the leaked source code as well.

------
curiousgal
[https://twitter.com/i5aaaald/status/1025563719877709825](https://twitter.com/i5aaaald/status/1025563719877709825)

> _The problem is that we tried to communicate with you but to no avail. The
> source code has been published on Github and I will publish it again until
> we get a response._

~~~
dylz
Ah, it's an extortion attempt. Sad.

~~~
Rjevski
Couldn't have happened to a nicer company.

~~~
Gigablah
This says more about you than the company.

------
peterkelly
The user mentioned in the DCMA notice has a second repository containing what
appears to be SnapChat source code, which _hasn 't_ been taken down.

It's been forked 49 times so far.

~~~
netsharc
But forking on Github is useless, if the parent project gets memory-holed,
your fork will disappear too.

But git is a distributed version control system, so git clone before the
takedown would help.

~~~
joshribakoff
Off topic but that would be pretty bad if you forked code and did significant
work for years only for it to randomly disappear overnight

~~~
asdkhadsj
Yea I didn't know that this would happen. If I fork a repo and plan on
maintaining it myself, I guess I have to fully clone it, removing the fork.

~~~
rpeden
It doesn't happen: [https://help.github.com/articles/what-happens-to-forks-
when-...](https://help.github.com/articles/what-happens-to-forks-when-a-
repository-is-deleted-or-changes-visibility/)

If you fork a public repo and the original is deleted, your fork survives.

~~~
mook
It has previously happened, in the special case of repos GitHub removed (like
DMCAed ones). That is a different case from the original repo owner removing
it voluntarily.

------
xevb3k
I’m confused, did they somehow just include the source code in the app bundle?
As a resource perhaps? Or can source code leak into the app through some other
vector?

~~~
akerro
Once I was hacking an android app to get free coupons. After some
investigation I found out they decided to generate the same coupon for
n-customers, the coupons were changed every day, the coupon was based on MD5
or SHA1 of generated deterministic value (based on customer ID and date).
There were 32k possible coupons per day. App was checking if the account and
coupon is valid on their server, but it was always valid as they used the same
algorithms in the app and on server... The core of the application was written
in C#, launched by Mono on Android.

Java was compiled correctly with ProGuard (code obfuscator), but C# code was
compiled in debug mode. C# in debug mode keeps variable/class/method names as
they are in source code, leaves comments in the binary, binary file is bigger
and slower. You can decompile it to compilable source code, literally.

I managed to get incorrectly protected secret key (they used GPG to encrypt
JWT to server lol), later I managed RE of their API, make my own app with
identical UI and working coupons. This allowed me to get free coupons every
day for next almost 2 years. There were several updates in Google Play since
then, but they haven't changed the logic or anything, the app is still in
debug mode and anyone can use it. What is interesting, they have also app for
iOS which is not in debug mode. Consistency is the key.

After I stopped using their services, I checked their ToS that you have to
accept before registering and they prohibit app decompilation, but I never
registered and never before read ToS, so it's OK for me ;) I wanted to report
the problem but they have literally no contact information, I spent a few
hours trying to find their contact details, Twitter is dead since 2014, no
contact@ email, no contact form on website... nothing.

Lesson for you: check if your apps are correctly compiled and secrets
protected, there are tools for it. In my previous company we had a Jenkins job
to test it before release.

~~~
SmellyGeekBoy
This sounds like fraud, is it wise to be admitting to this publicly?

~~~
akerro
No, but it's great story on how not to make apps with coupons. I've learnt a
lot from it and you can too. Just look at the bigger picture of it how many
antipatterns they implemented and how many things they did wrong.

------
Raphmedia
Did anyone here take a look at the source? Anything we should be worried
about?

~~~
chedabob
It wasn't very exciting. It was only a tiny fraction of the whole source. Some
UI controls, some headers for the lens engine and their job system.

~~~
Roland0ull
So this is not quite a big deal. Others do share the code for free to go in
wide open.

------
Drdrdrq
What is the effect of this? Apart from some security through obscurity
measures that might now be useless, what could the worst negative effect of
this be? I can't imagine it could hurt Snapchat.

~~~
seren
Same potential damages from source code leaks : revealing secret projects in
roadmap, security or privacy malpractices, lack or respect of SW licenses.

~~~
_r_o_y_
Yeah definitely the SW licenses as SnapChat is mainly US so there probably
won't be any real repercussions related to privacy.

------
snehesht
[https://twitter.com/x0rz/status/1026735377955086337](https://twitter.com/x0rz/status/1026735377955086337)

------
driverdan
If you're interested in it you can find other repos by searching Github for
Source-SnapChat and Source-SCCamera.

------
welder
I find it strange their app is all Objective-C and no Swift.

~~~
stefanfisk
AFAIK neither does Spotify. Swift is nicer in a lot of ways, but it is still
not as safe a bet as objc for large projects.

------
apostacy
This is a case of the Streisand Effect[1] in action.

If anyone is really curious, it is called Source-SnapChat and it is all over
Github.

Github is going to have to mass delete these mirrors, and prevent anyone from
re-commiting it anywhere. Snapchat sending DMCAs is not going to be enough.

[1]:
[https://en.wikipedia.org/wiki/Streisand_effect](https://en.wikipedia.org/wiki/Streisand_effect)

~~~
nathancahill
When specific repos are blacklisted on GitHub, they have a system that
automatically flags uploaded forks. Not sure if/why they haven't blacklisted
this codebase yet.

------
burger_moon
Is it weird that all of their methods start with SC? I guess we do that a
little bit for the product I work on but it's also just one product in a much
larger company and part of an entire platform. Snap is just snap.

~~~
bradenb
This is pretty common for Objective-C, I believe.

------
Bromskloss
Well, what is the verdict? Was there anything interesting in the source code?
Does having it publicly available matter at all?

