Friday, 3 January 2014

Snapchat exposed

Snapchat, which was thought to be a private messaging app for the iPhone, exposed some 4.6 million users after hackers released a database with apparent Snapchat usernames and partial phone numbers.

The exploit that enabled the usernames and phone numbers to be released was reportedly brought to the Snapchat company months ago to no avail.
On Christmas Day, ZDNet reported that Gibson Security, the group of hackers that discovered the exploit, notified Snapchat of the problem in August.
Gibson Security published a security advisory the same month after Snapchat did not respond or take action.
The exploit could have been fixed by “ten lines of code” and would have never appeared “if they followed best practices and focused on security (which they should be, considering the use cases of the app),” Gibson Security said.
In its Christmas release, Gibson Security also alleged that Snapchat’s statements to investors and the press are entirely false.
Two days after the Gibson Security release, the company downplayed the hack and said they “recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Yet the database, known as SnapchatDB, was still published publicly (though the site was quickly suspended).
The hackers said they made the data available “in an effort to convince the messaging app to beef up its security,” according to Tech Crunch.
“It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal,” SnapchatDB said in a statement. “Security matters as much as user experience does.”
Even after the hackers found the exploit and notified Snapchat, the company only put minor hurdles in place.
“Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data,” the SnapchatDB release said. “Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists.”
The problem apparently remains unaddressed by the company and leaves millions of users exposed.
“It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent,” the hackers said.
One reader told Tech Crunch that he was able to find “his own number, that of several friends and Snapchat founder Evan Spiegel in the list.”
The SnapchatDB hackers told The Verge that they used a modified version of the exploit published by Gibson Security. Clearly, Snapchat didn’t actually patching the problem.
“Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t,” the hackers said.
The SnapchatDB website has been taken down, but it is “not due to legal action,” according to the hackers.
The uncensored database is being offered by the hackers to some who ask, according to The Verge.
Concerned users can use a website by developer Robbie Trencheny to see if their username is included among the 4.6 million.
As of Wednesday morning, Snapchat had not replied to a request for comment from The Washington Post.
As Tech Crunch rightly notes, users should avoid being lulled into a false sense of security about the privacy of their information stored with Snapchat.

More at