A GitHub that goes by i5xx, believed to be from Pakistan, has created a GitHub repository titled simply Source-Snapchat. It has since been removed from GitHub due to a “DMCA request” from Snap Inc, so unfortunately I have not been able to poke my nose around it and see what exactly it contained.
What we do know is the fact that the repository was written in Apple’s Objective-C programming language and that fact suggests that it contained at least a part of the company’s iOS application, but there’s no way to be completely sure.
Now, the DMCA takedown request made by Snap Inc is both funny and raises some serious questions at the same time. Mind you, it came written in all-caps and completely void of formality; to the question of “Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online,” the representative in charge of the DMCA takedown request wrote:
“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”
You can see the exchange in the screenshot below:
The identity of the i5xx user is still a mystery but according to a few Twitter posts, from an account that it is believed to belong to this interesting character, the researcher did try to contact Snapchat, unsuccessfully so. Since that did not work, he threatened to re-upload the code until someone will get in touch.
Snap Inc. is notoriously easy to get in touch with though: the company runs a bug bounty program and, according to HackerOne’s official statistics – where the company has an active account – it has, so far, paid out over $220,000 in bounties.
Another piece to add to this weird puzzle is the fact that the source code seems to have been online for a very long time before it was finally removed, as the commit history of the i5xx user shows eighteen of them, occurring between May 23 and 24, all into the same repository. So this means the repository of wonders in question had been online for a bit over two months.
The company’s internal info security team is probably having a field day with this issue and not in a fun way!
So far, Snap Inc has not made any official comments pertaining to the issue.