Hackers Teach Snapchat a Lesson in Security: Millions of Usernames and Partial Phone Numbers Published

acura-sent-100-followers-a-snapchatPicture and video-sharing startup Snapchat has just been made a public example of how not to handle a potential security issue.

About a month ago, a group of white-hat hackers called Gibson Security (white-hat meaning they do not exploit security flaws, only find them) privately contacted Snapchat to warn the company about two security weaknesses that could be easily exploited to gain access to users’ real names, usernames and phone numbers, through Snapchat’s Android and iOS API.

Rather than taking immediate action, Snapchat reportedly ignored the warning. Finally, after receiving no response from the company and seeing little improvement in security, Gibson Security published its findings publicly on Christmas Eve.

Once the warning had been made public (and therefore a PR issue), Snapchat responded, but did so by minimizing the risk, saying in blog post on Friday:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Happy Snapping!

Apparently unimpressed by this response, a group of anonymous hackers (unrelated to Gibson Security), in an apparent attempt to force Snapchat to take the risk more seriously, exploited the weaknesses and made the usernames and partial phone numbers for 4.6 million Snapchat accounts available for download on a site called SnapchatDB.info on New Year’s Eve. The site has since been suspended. The anonymous hackers explained their motivation in a statement to TechCrunch, slamming Snapchat for its lack of action:

Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.

We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.

This public shaming was so well-executed that it almost makes a believable case that hackers care more about Snapchat’s users’ security than Snapchat does. Yikes. We’ll be interested to see how the company responds to this, but we imagine a minimizing blog post isn’t going to cut it this time.