Snapchat has been very high profile lately. Lots of people are eschewing Facebook and other sites in favor of the light, simple tools provided by Snapchat. But on New Year’s day, 4.6 million users had their usernames and phone numbers released, earning Snapchat all the wrong kind of publicity. Unfortunately, this data has been vulnerable well before the breach.
In August, a trio of amateur security researchers at Gibsonsec told Snapchat that there were serious vulnerabilities in their system. They alleged that Snapchat didn’t patch the problem effectively. The company offered to help Snapchat, but the startup network didn’t reach out to Gibsonsec about it until December 28th. Gibsonsec was quick to reply but communications did not continue from there.
Instead Snapchat decided to acknowledge the flaws in a December 27 blog post, claiming it had been fixed. Snapchat also acknowledged its API was out there, and practically spelled out how to hack their system. Snapchat laid all its cards on the table for no reason at all, and on January 1st, it bit them.
Those behind the data leak told The Verge, “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. Security matters as much as user experience does.”
It’s not unusual for ‘white-hat’ hackers to employ tactics like this. Their aim is to expose weaknesses, not profit from them. But it would be very easy to profit from this kind of data, if you were to sell the phone numbers to spammers.
Still Snapchat remained relatively silent. On January 2nd they piped up on their blog again, telling users to remove themselves from the ‘find friends’ list, which connected their phone number to their account, for the purposes of connecting with the contacts in their phone. The company also stopped dragging their heels on security and created a hotline for security professionals.
It may be too little, too late for Snapchat though as possible action by federal and local governments is expected by legal experts. “Over the past year and half, the FTC and states like California have really stepped up their efforts to crack down on violations of privacy and breaches of security similar to what happened at Snapchat” said Adam D.H. Grant, chief legal contributor to App Developer Magazine, talking to The Wrap.
Snapchat may be coming up fast, but if serious vulnerabilities like this are left unaddressed for months the fledgling network may never see investor money. Something like this can erode consumer confidence. If Snapchat is seen to be fast and loose with user data, then people could drop it as fast as they picked it up. So much for increased privacy.