20131225-SnapChat

4.6 Million SnapChat users compromised

In late December 2013 it appears that 4.6 million SnapChat users had their name and phone numbers disclosed. For a brief time the entire database of compromised information was available to the public. The “find friends” exploit used had been disclosed to the company months before, but the security gaps had not been fixed.

Gibson Security notified SnapChat in August 2013. In December, after no response, Gibson Security published a public security advisory. Gibson wrote that the security hole could have been fixed with ten lines of code:

“[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they’re vulnerable. They’ve had four months, if they can’t rewrite ten lines of code in that time they should fire their development team. This exploit wouldn’t have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app)

Another security problem was the “Bulk Registration” exploit which could allow the unauthorized creation of thousands of accounts, all of which could be a source of spam, or used to inflate the reported number of SnapChat users. Considering Facebook wanted to buy SnapChat for an estimated 3 billion dollars in November 2013, even non-financial information has material value.

To check your SnapChat id via Gibson Security’s Lookup
http://gibsonsec.org/lookup

 

August 2013 Gibson Security Advisory provided to SnapChat
http://gibsonsec.org/snapchat/
11/15/2013 The 3 Billion Dollar valuation
http://www.forbes.com/sites/benjaminboxer/2013/11/15/two-unrealistic-ways-to-arrive-at-a-3-billion-plus-valuation-of-snapchat/
12/25/2013 Security researchers publish code after private communications are ignored
http://www.zdnet.com/researchers-publish-snapchat-code-allowing-phone-number-matching-after-exploit-disclosures-ignored-7000024629/
12/31/2013 Hackers say why they did it
http://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-of-4-6m-snapchat-usernames-and-numbers/
1/1/2014 a Summary
http://www.cnn.com/2014/01/01/tech/social-media/snapchat-hack/index.html
1/1/2014 SnapChat tweets initial response
https://twitter.com/evanspiegel/status/418561021578452992

1/9/2014 How to Fix & Apology

Find Friends Improvements

This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.

This update also requires new Snapchatters to verify their phone number before using the Find Friends service.

Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.

Love,

Team Snapchat

from
http://blog.snapchat.com/post/72768002320/find-friends-improvements

 

Return to 2013 details page
Year links page
Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.

Visit Us On FacebookVisit Us On Twitter