Within the past few days, we’ve seen a few large-scale leaks take place.
On Monday, hackers claimed to have stolen nearly 7 million usernames and passwords from popular cloud storage service Dropbox. A few days before that, hackers also claimed to have obtained about 100,000 photos from messaging app Snapchat.
Both companies have said these leaks are the result of third-party apps that work with these services. In other words, both Snapchat and Dropbox are saying that their respective servers have not been breached. Instead, hackers have reportedly intercepted data from other apps that integrate with their services.
The truth is, there are probably tons of different ways hackers could have accessed this data. But one security researcher provided some clarity as to why using third-party apps with any popular service, whether it be Dropbox, Snapchat, Facebook, or Twitter, can be dangerous.
According to Shaun Murphy, CEO of Internet security firm PrivateGiant, it’s not very difficult for developers to request access to features from a popular app like Dropbox. The developer would send a request to Dropbox asking for a specific permission, such as the ability to put files into Dropbox from his or her app, but not read them. Then, Dropbox would grant that developer a key, which would allow the developer to integrate the proper code into his or her app.
The tricky part, however, is that a developer could inject malicious code into the app before it’s published in an app store, Murphy said. A company like Dropbox could then revoke access from that app, but the app would have to be discovered to be doing something dangerous first.
A big company like Dropbox or Twitter may not even be aware of the fact that an app is using its services for a malicious purpose.
“The security measures are there,” Murphy told Business Insider. “But it’s going to be delayed.”
The real problem, according to Murphy, is that companies don’t always add proper security features before pushing out new updates.
“They build a lot of functionality, get it out as fast as they can, and don’t always think about security and privacy,” Murphy said. “Had they built in features, such as no data leaves your phone unencrypted, only you and Dropbox would be able to decode [your files]. That would be a very strong [move] for companies to do.”
On its security page, Dropbox says it “uses modern encryption methods to both store and transfer your data.” But that doesn’t mean every app you integrate with Dropbox features the same level of security.
“You don’t know what’s happening behind the scenes,” Murphy said. “At any point in time you send something through the app, that app can do anything it wants to it before it sends it through to Dropbox. And you would never know.”
This could include making a duplicate of the file before transferring it to its destination.
“You’re trusting the application to send it directly to Dropbox,” Murphy said. “You’re giving it the keys to the kingdom.”
Jaun Andres Guerrero-Saade, a senior security researcher at antivirus software firm Kaspersky Labs, agrees with Murphy.
“Consumers don’t really realise how much trust is going into using services like these,” Guerrero-Saade told Business Insider. “Once you get into third-party territories, all bets are off. You don’t really know who’s running this third-party Snapchat storage service.”
It’s unclear exactly how hackers managed to get ahold of millions of login credentials for Dropbox and personal photos from Snapchat. In the case of the Dropbox hack, at least part of it could be attributed to users re-using the same passwords for multiple accounts. Still, understanding how it may have happened could prompt users to be more careful in the future.
“If you’re using the same login credentials or granting access to untrustworthy apps, then you’re actually violating the security model that these companies have put in place,” Guerrero-Saade said. “I wouldn’t necessarily put the blame [for these hacks] on the user, but they may be missing an opportunity to protect themselves.”