Snapchat may not be popular in Pakistan, but that hasn’t stopped a hacker from swiping its source code and making it public.
According to a report by TheNextWeb, A GitHub handle i5xx, from Tando Bago, Sindh, made a repository called Source-Snapchat. The repository is currently unavailable, thanks to Snapchat issuing a DMCA takedown request to GitHub, but there are still some things we can infer from it.
Its description reads “Source Code for SnapChat” and contained code based on Apple’s Objective-C language. This points to the hacker dissecting part of or the whole of the Snapchat iOS app. There’s no way to confirm this as the repository isn’t available anymore.
Who Was He?
As to the identity of the hacker himself, the name associated with the i5xx account on GitHub is Khaled Alshehri. It could be a fake name for all we know, and the surname Alshehri isn’t common in Pakistan either.
i5xx’s profile also links to an online business in Saudi Arabia, offering a bunch of tech services including selling iTunes gift cards, scanning and removing iCloud etc.
Here’s a screenshot of the site:
For all we know, he could be from the Middle East with a fake address on GitHub. None of this is confirmed yet, so take it with a grain of salt.
GitHub themselves also posted the original DMCA takedown request from Snap Inc. around 4 days ago. However, it’s likely that the request may have been made earlier. GitHub, like Google and other tech giants, shares DMCA takedown requests for the sake of transparency.
The way Snap Inc. phrased the request is interesting, giving away a sense of panic from the company. This could mean that the source code posted by i5xx could, in fact, be the real thing.
The request was made in informal/non-legal language and written in all caps. Here’s a screenshot:
Here’s where the story gets an interesting twist, the source code leak wasn’t to demand a ransom or hush money. It came from a researcher who discovered something in the source code but wasn’t able to get in contact with Snapchat.
The “Hacker’s” Tweets
A Twitter account, believed to be the same person as i5xx on GitHub, made several posts on the social media platform trying to contact Snapchat, but he never got a reply.
— خالد الشهري #الاسطورة (@i5aaaald) August 4, 2018
In the tweet above, he threatened to re-upload the source code until Snap Inc. replies.
Contacting Snapchat is not hard, they have an active account on HackerOne, where the company has a bug bounty program and responds regularly.
HackerOne’s stats show that Snapchat typically replies within 12 hours and has paid $220,000 in bug bounties to date. Snap Inc. themselves say that they reward people based on the severity of the bugs or security issues.
One last thing to note here is that the code has been up on GitHub for quite some time before it got removed. i5xx’s made 18 commits, all to the same repository, between May 23rd and May 24th.
We’ve yet to see Snap Inc. officially respond to this situation, we’ll update this story as soon as the company responds.