doesn’t just make messages disappear after a period of time. It also
does the same to GitHubrepositories
— especially when they contain the company’s proprietary source code.
what happened? Well, let’s start from the beginning. A GitHub withthe
handle i5xx, believed to be from the village of Tando Bago in
Pakistan’s southeastern Sindh province, created a GitHub repositorycalled
the time of writing, the repo has been removed by GitHub followinga
DMCA request from Snap Inc(we’ll get to that
later), so we can’t take a closer look and see what it contains. That
said, there are a few clues to its contents.
repository has a description of “Source Code for SnapChat,” and is
written in Apple’s Objective-C programming language. This strongly
suggests that the repo contained part or whole of the company’siOSapplication,
although there’s no way we can know for certain. It could just as easily
be a minor component to the service, or a separate project from the
are two other clues to the identity of the person who published the
leaked Snapchat code.
to the i5xx GitHub account, his name is Khaled Alshehri. This should be
taken with a grain of salt, however. For starters, there’s nothing
stopping the user from listing a fake name. Furthermore, according to
several people TNWhas
spoken to, the surname “Alshehri” isn’t especially common in Pakistan.
profile also links to an online business in Saudi Arabia offering a
mixed bag of tech services, from security scanning andiCloudremoval,
to software development and the sale ofiTunesgiftcards.
days ago, GitHub published a DMCAtakedown
request from Snap Inc., although it’s likely the request was filed
much earlier. GitHub, like many other tech giantsincluding
Google, publishes information on DMCA takedown requests from the
perspective of transparency.
language used in the DMCA request is fascinating, and conveys a sense of
genuine panic in the organization, which in turn suggests that the
contents of the repository are legitimate. Rather than using formal
legal terminology, the request is predominantly written in all-caps.
the question “Please
provide a detailed description of the original copyrighted work that
has allegedly been infringed. If possible, include a URL to where it
is posted online,” the GitHub representative wrote:
SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO.
THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT
most fascinating part of this saga is that the leak doesn’t appear to be
malicious, but rather comes from a researcher who found something, but
wasn’t able to communicate his findings to the company.
to several posts ona
Twitter accountbelieved to belong to i5xx, the
researcher tried to contact SnapChat, but was unsuccessful.
problem we tried to communicate with you but did not succeed In that we
decided [sic] Deploy source code,” wrote i5xx.
account also threatened to re-upload the source code. “I will post it
again until you reply :),” he said.
what it’s worth, it’s pretty easy for security researchers to get in
touch with Snap Inc. The company hasan
active account on HackerOne, where it runs a bug bounty program,
and is extremely responsive.
to HackerOne’s official statistics, the site replies to initial reports
in 12 hours, and has paid out over $220,000 in bounties.
Inc explicitly says it rewards researchers based on severity. I’d
imagine that the company’s internal infosec team would regard leaked
source code as a fairly critical security problem.
other thing that’s especially interesting is that it seems as though the
source code remained online for a long period of time before it was
removed. I5xx’s commit history shows eighteen commits, all occurring
between May 23 and 24, and pertaining to the same repository.
I mentioned, GitHub published Snap’s takedown request four days ago.
That suggests that the repository was potentially online for over two
has reached out to Snap for comment. If we hear back from the company,
we’ll update this post.