Snapchat workers snooped on users with internal tool

Snapchat’s 186 million users may be in for a rude awakening today after revelation that multiple employees of the social media giant were able to abuse their power and snoop on members.

AWS Builder Community Hub

As Motherboard journalist Joseph Cox describes, current and former employees of Snap have described how an internal tool – which was only supposed to be used in response to valid law enforcement requests – was used by staff to access users’ saved photos and videos, and personal information such as phone numbers and email addresses.

The internal tool, called SnapLion, was originally designed to help law enforcement investigations, but has since become more widely used inside the company for purposes such as resetting passwords on hacked accounts. One former worker described it as “the keys to the kingdom” to SnapChat’s spam and abuse teams, security division, and operations teams.

Clearly the larger the number of staff who have access to such a tool, the greater the chance that one of them will be tempted to use it in an unauthorised way.

For that reason, companies like Snap should have systems in place to properly police tools such as SnapLion and ensure that they are only used in an appropriate and authorised fashion, and that proper logs are kept of usage.

According to an internal Snap email obtained by Motherboard, the risk of an insider abusing their access to data has been discussed by staff, and it is believed that more monitoring has been implemented in recent years.

In a statement given by Snap to Motherboard the company emphasised that if it discovered any employees had abused their privileges to spy on users they would be fired:

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”

Snapchat certainly wouldn’t be the first service to find itself making the headlines with claims that employees had snooped on users.

Back in 2016, it was claimed that Uber staff were able to track high profile politicians, ex-boyfriends and girlfriends, and even celebrities such as Beyoncé through a “God View” feature.

And in the early days of Facebook, an anonymous employee claimed that there had been a master password that could allow staff to log into any user’s profile using the password “Chu[k N0rr15”.

That backdoor into Facebook accounts no longer exists, but as recently as last year Facebook fired an employee who allegedly used the privileged access tools he had been given by the social network to stalk women online.

Whether you’re posting content and communicating on Snapchat or a different online site, it’s important to remember this: setting posts, photos and other information to “private” might mean that the general public and other users can’t see what you’ve posted, but it doesn’t necessarily make it private from the company that operates the service.\

People are human. Humans sometimes to bad things. Services like Snapchat employ humans. And some of them have been given tools that can grant them access to your data.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: