64 comments

[ 3.3 ms ] story [ 132 ms ] thread
This article is not very information rich, but one thing is clear: this is not a github leak, the code was just posted to github by whoever got access to it. So the headline is pretty misleading.
Okay. So the code was "leaked" on Github. How is the headline misleading?
The headline is misleading because it implies the source code was already on GitHub.

If the source was not already on GitHub, then a "GitHub Leak" of that source could not possibly be caused by a software error.

It doesn't imply that to me.
Just by reading the title my first though was somehow a iOS update caused a bug in GitHub that led to the source code leaking.
I figured the iOS bug somehow leaked credentials that gave access to GitHub.

Regardless, many of us agree that the title suggests GitHub as a central role to the leak. If, as other commenters say, it was just used as a file host.. it doesn't belong in the title imo. It's just there to pull in more views. It may as well been Piratebay.

The fact that it’s ambiguous is itself misleading. Typical headlines.
Cause probably many people (including me) assumed that "Github leak caused by bad ios" was the reason why snapchat's code was leaked.
Github has private repos for customers. When I first read the title I assumed it had something to do with breaking into one of those.
The DMCA request reads like its written by a 14 year old. ALL CAPS. LEAKED SOURCE: TAKE DOWN PLOX
Exactly what I was wondering about -- couldnt illegitimate DMCA requests be an attack vector to shut down a public GitHub repo temporarily? There wasn't much to the quoted DMCA request.

Edit: I'm guessing there's enough in the redacted part of the notice to prove SC's identity. But I think the question of DMCA abuse remains.

(comment deleted)
Actually it could be and it is sometimes abused. You don't need to proof that you are the copyright holder to submit the request. Companies tend to err on the side of removing things to make sure they don't become liable for copyright violation.
That happened before on other platforms, I know about steam and its workshop in particular.
it's so comically bad that I think it was written by the leaker (i5aaaald/i5xx) himself, as a way to get extra publicity via the streisand effect. there's no way that snapchat doesn't have lawyers to write a proper request.
The user mentioned in the DCMA notice has a second repository containing what appears to be SnapChat source code, which hasn't been taken down.

It's been forked 49 times so far.

(comment deleted)
But forking on Github is useless, if the parent project gets memory-holed, your fork will disappear too.

But git is a distributed version control system, so git clone before the takedown would help.

We can't know how many people cloned it, but we can guess that most of the people who forked it also cloned it.
Off topic but that would be pretty bad if you forked code and did significant work for years only for it to randomly disappear overnight
That's why you should always keep clones of your repositories hosted by a third party.
Yea I didn't know that this would happen. If I fork a repo and plan on maintaining it myself, I guess I have to fully clone it, removing the fork.
You're not doing work for years that lives solely on GitHub - it's cloned onto your local storage and the GitHub deletion does not affect your local copy.
GitHub might go and delete all the forks in this case, but that's not what happens in general. Normally on GitHub, if a public repo is deleted or made private, all of the forks survive [1].

I'm not trying to nitpick or be a jerk; I just wanted to point this out because I think that forking in general on GitHub is less useless than you imply.

[1] https://help.github.com/articles/what-happens-to-forks-when-...

What is the effect of this? Apart from some security through obscurity measures that might now be useless, what could the worst negative effect of this be? I can't imagine it could hurt Snapchat.
(comment deleted)
Same potential damages from source code leaks : revealing secret projects in roadmap, security or privacy malpractices, lack or respect of SW licenses.
Yeah definitely the SW licenses as SnapChat is mainly US so there probably won't be any real repercussions related to privacy.
You can probably scavenge code looking for possible leaks and attack vectors. Plus (I didn't check the code) you can find some tokens/salts/whatever used internally, or new features already there and hidden, a/b tests, etc....
Don't these guys have a super-secretive work culture? Like, you can't even ask what your colleague from another building is currently working on. I'd imagine they'd be very displeased with this leak, and somebody probably got fired.
I’m confused, did they somehow just include the source code in the app bundle? As a resource perhaps? Or can source code leak into the app through some other vector?
Once I was hacking an android app to get free coupons. After some investigation I found out they decided to generate the same coupon for n-customers, the coupons were changed every day, the coupon was based on MD5 or SHA1 of generated deterministic value (based on customer ID and date). There were 32k possible coupons per day. App was checking if the account and coupon is valid on their server, but it was always valid as they used the same algorithms in the app and on server... The core of the application was written in C#, launched by Mono on Android.

Java was compiled correctly with ProGuard (code obfuscator), but C# code was compiled in debug mode. C# in debug mode keeps variable/class/method names as they are in source code, leaves comments in the binary, binary file is bigger and slower. You can decompile it to compilable source code, literally.

I managed to get incorrectly protected secret key (they used GPG to encrypt JWT to server lol), later I managed RE of their API, make my own app with identical UI and working coupons. This allowed me to get free coupons every day for next almost 2 years. There were several updates in Google Play since then, but they haven't changed the logic or anything, the app is still in debug mode and anyone can use it. What is interesting, they have also app for iOS which is not in debug mode. Consistency is the key.

After I stopped using their services, I checked their ToS that you have to accept before registering and they prohibit app decompilation, but I never registered and never before read ToS, so it's OK for me ;) I wanted to report the problem but they have literally no contact information, I spent a few hours trying to find their contact details, Twitter is dead since 2014, no contact@ email, no contact form on website... nothing.

Lesson for you: check if your apps are correctly compiled and secrets protected, there are tools for it. In my previous company we had a Jenkins job to test it before release.

This sounds like fraud, is it wise to be admitting to this publicly?
No, but it's great story on how not to make apps with coupons. I've learnt a lot from it and you can too. Just look at the bigger picture of it how many antipatterns they implemented and how many things they did wrong.
> Lesson for you: check if your apps are correctly compiled and secrets protected

And remember: no matter how well you think you have protected the secret, if it is in the client-side application then someone will be able to find it if they want to enough. It must be unpackable by your local code so it must be unpackable by someone who can unpack and understand that code.

Even if they used proguard or similar stuff, if they're putting the full code for that check client side they're dead in the water. People have been cracking obfuscated stuff forever and there's plenty of tooling to make it easier.

Honestly, it seems so stupid that their best defense is probably that no cracker even thought to check.

Wait so they shipped the mono runtime with the app? Is this some kind of bloat contest?
> no contact@ email

Every Play Store app has a contact email in the listing.

Did anyone here take a look at the source? Anything we should be worried about?
It wasn't very exciting. It was only a tiny fraction of the whole source. Some UI controls, some headers for the lens engine and their job system.
So this is not quite a big deal. Others do share the code for free to go in wide open.
(comment deleted)
I wish we could see why such a seemingly simple app is 300 MB.
On a side note, does anyone know why the app is 300 MB? Seems excessive for what is essentially a photo viewer.
(comment deleted)
This is a case of the Streisand Effect[1] in action.

If anyone is really curious, it is called Source-SnapChat and it is all over Github.

Github is going to have to mass delete these mirrors, and prevent anyone from re-commiting it anywhere. Snapchat sending DMCAs is not going to be enough.

[1]: https://en.wikipedia.org/wiki/Streisand_effect

When specific repos are blacklisted on GitHub, they have a system that automatically flags uploaded forks. Not sure if/why they haven't blacklisted this codebase yet.
No explanation on _how_ a bad iOS update leaked source code? Can't imagine Apple is too happy to be blamed for this with no details.
I'm guessing that somehow a chunk of their source code got marked as "copy to the bundle" from within the project's build phase. One scenario I could think of this happening is a bug in a custom build script that was intended to copy other resources (images, sounds, etc.) to the bundle and copied an unintended directory containing the leaked source code as well.
If you're interested in it you can find other repos by searching Github for Source-SnapChat and Source-SCCamera.
I find it strange their app is all Objective-C and no Swift.
AFAIK neither does Spotify. Swift is nicer in a lot of ways, but it is still not as safe a bet as objc for large projects.
Is it weird that all of their methods start with SC? I guess we do that a little bit for the product I work on but it's also just one product in a much larger company and part of an entire platform. Snap is just snap.
This is pretty common for Objective-C, I believe.
Well, what is the verdict? Was there anything interesting in the source code? Does having it publicly available matter at all?