Social Networks

Snapchat workers snooped on users with internal tool

Snapchat’s 186 million users may be in for a rude awakening today after revelation that multiple employees of the social media giant were able to abuse their power and snoop on members.

As Motherboard journalist Joseph Cox describes, current and former employees of Snap have described how an internal tool – which was only supposed to be used in response to valid law enforcement requests – was used by staff to access users’ saved photos and videos, and personal information such as phone numbers and email addresses.

The internal tool, called SnapLion, was originally designed to help law enforcement investigations, but has since become more widely used inside the company for purposes such as resetting passwords on hacked accounts. One former worker described it as “the keys to the kingdom” to SnapChat’s spam and abuse teams, security division, and operations teams.

Clearly the larger the number of staff who have access to such a tool, the greater the chance that one of them will be tempted to use it in an unauthorised way.

For that reason, companies like Snap should have systems in place to properly police tools such as SnapLion and ensure that they are only used in an appropriate and authorised fashion, and that proper logs are kept of usage.

According to an internal Snap email obtained by Motherboard, the risk of an insider abusing their access to data has been discussed by staff, and it is believed that more monitoring has been implemented in recent years.

In a statement given by Snap to Motherboard the company emphasised that if it discovered any employees had abused their privileges to spy on users they would be fired:

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”

Snapchat certainly wouldn’t be the first service to find itself making the headlines with claims that employees had snooped on users.

Back in 2016, it was claimed that Uber staff were able to track high profile politicians, ex-boyfriends and girlfriends, and even celebrities such as Beyoncé through a “God View” feature.

And in the early days of Facebook, an anonymous employee claimed that there had been a master password that could allow staff to log into any user’s profile using the password “Chu[k N0rr15”.

That backdoor into Facebook accounts no longer exists, but as recently as last year Facebook fired an employee who allegedly used the privileged access tools he had been given by the social network to stalk women online.

Whether you’re posting content and communicating on Snapchat or a different online site, it’s important to remember this: setting posts, photos and other information to “private” might mean that the general public and other users can’t see what you’ve posted, but it doesn’t necessarily make it private from the company that operates the service.\

People are human. Humans sometimes do bad things. Services like Snapchat employ humans. And some of them have been given tools that can grant them access to your data.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Nowadays there's SO little decency (nor courtesy) anymore.
    From time to time, I long to my old days as a youngster!

    Yet, there is good news too IMHO: a newly created social media platform (which is on the brink of going public) that you may like if you value your privacy, and if you would like to be in control of what to share, and what not to share: https://twitter.com/howdooHQ

    As said – this is NOT yet live to the public, it will be within weeks from now. Check it out, of what it can do to your privacy-control, even up to your fully controlled monetization online.

    And YES: from genuine Brits, this project is… :)