A Pakistani hacker seems to have triggered panic in Snapchat camp. He has leaked the Snapchat source code and posted it on GitHub. The US messaging service’s proprietary source code has since been removed from GitHub, but the Pakistani hacker has warned that he would “post it again” if necessary.
Snapchat source code was on GitHub for more than two months
The hacker’s GitHub handle is i5xx, and as per GitHub his name is Khaled Alshehri. The name could easily be faked considering the user has full control over what name he wants to display. His Twitter handle is @i5aald, and he belongs to the town of Tando Bago in the Sindh province of Pakistan.
The source code of the iOS @Snapchat app leaked on @Github. The repo has been taken down in a few minutes cc @iSn0we https://t.co/5LSZsbbO3Q
— Elliot Alderson (@fs0c131y) August 7, 2018
Khaled created a GitHub repository named Source-Snapchat for the developer community to look into. His commit history on GitHub suggests that it was posted in the second half of May, meaning the Snapchat source code has been online for more than two months before the US company noticed it.
The repository has been taken down, but it was written in the Objective-C language. It indicates that the repository included either a small portion or the whole of Snapchat’s iOS app. The code was only about 21,000 lines for a total of 2MB. It strongly suggests that it was only a small part of Snapchat source code.
The repository was taken down after Snap Inc submitted a DMCA request, which was published last week. The files will not be restored unless Pakistani hacker i5xx files a valid counter-claim. If you go to the repository link, it says, “Repository unavailable due to DMCA takedown.” GitHub publishes the takedown requests for the sake of transparency.
Snap Inc’s language in the DMCA request suggests that the company is panicked. The all-caps request stays as far away from legal terminology as possible.
The company has not issued an official statement on the matter yet. ValueWalk has reached out to Snap Inc for comment. We will update this post if and when we hear back from the tech company.
Pakistani hacker had no evil intentions
As it turns out, the Pakistani hacker didn’t have any evil intentions. He appears to be a security researcher who discovered a bug and wanted to report it, but couldn’t communicate with Snap Inc despite several attempts. The hacker said on Twitter, “we tried to communicate with you but did not succeed.”
The problem we tried to communicate with you but did not succeed
In that we decided
Deploy source code
I will post it again until you reply :) @snapchatsupport @Snapchat https://t.co/aB58eOjGLE
— خالد الشهري #الاسطورة (@i5aaaald) August 4, 2018
That’s quite surprising because security researchers who discover flaws in an app/website tend to report it on HackerOne. Snapchat is pretty active on HackerOne, and responds to most of the reports in less than 24 hours. In fact, the company has paid researchers more than $220,000 in bug bounties so far on HackerOne. Snap Inc rewards security researchers based on the severity of the issue.
Khaled Alshehri is not the only Pakistani hacker to have discovered bugs in the apps/websites of major US companies. Multan-based Shahmeer Amir is known to have discovered and reported serious flaws in Google, Facebook, Snapchat, Microsoft, and hundreds of other tech services.
In the last few years, Shahmeer Amir has earned hundreds of thousands of dollars in bounties for reporting bugs to giants like Google, Facebook, and Microsoft. At one point in 2015, he was the top hacker on HackerOne. Now Amir runs a company called Veiliux to help businesses large and small secure their apps/websites/services from notorious hackers.