Ten lines of code appears to have been all that stood between Snapchat, a mobile photo-sharing app, and what has morphed into an embarrassing security incident that seems to have compromised the phone numbers and user names of more than 4 million users.
A feature that allowed Snapchat users to search for their friends in their phone’s address book has been turned into something that a stalker might like to use. An Australian security firm, Gibson Security, chose Christmas Day to disclose a vulnerability in Snapchat’s API that would allow someone to create a tool to match Snapchat account names to phone numbers.
Then on New Year’s Eve, someone did exactly what the GibSec researchers warned about. Well, almost: They created a website called SnapchatDB (the site has since been suspended) that essentially leaked the account names and phone numbers of nearly 5 million Snapchat users.
Since then, the people who did it have said their primary motivation was to raise the pressure on Snapchat to fix the vulnerability. GibSec, which describes itself on its website as “poor students,” said on Twitter that it had nothing to do with the creation of the SnapchatDB. But it has created another tool, one that’s still working, which you can find here. In both cases, the final two digits of the phone numbers have been blocked out.
We know nothing about SnapchatDB, but it was a matter of time til something like that happened. Also the exploit works still with minor fixes
— Gibson Security (@gibsonsec) January 1, 2014
And in a twist that, if true, would be typical of these cases, GibSec said it tried to notify Snapchat about the vulnerability back in August. When media attention shed light on the vulnerability, Snapchat, in a company blog post, dismissed it as “theoretical.” But it did say it has added new security countermeasures, though it hasn’t said anything about what they are.
A Snapchat representative did not immediately respond to a request for comment.
The basic vulnerability had to with something called rate limiting, which would put a cap on the number of searches a person or program might make for a number using the Snapchat API. Without those rate limits — the theoretical limit for these searchers, as Naked Security blogger Paul Ducklin noted on Dec. 27 — appeared to be about 7 million a day.
What’s less clear is what this does to Snapchat users’ confidence in the product. Billed as an app that lets you send photos that disappear after 10 seconds, it has an air of naughty permissibility about that has appealed to teens and twentysomethings, and tends to raise alarm bells in the minds of parents. Questions about whether or not those photos really do disappear have persisted for some time. (Answer: They really don’t.)
And even with the new countermeasures in place, the anonymous hackers behind SnapchatDB told the Verge that the problem isn’t really fixed.
“Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to take the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale.”
The exploitation of the vulnerability also raises some larger issues about how other apps access address books on phones. There have been cases where this sort of feature has raised privacy and security concerns. If you’re building apps that tap the address book, today would be a good day to study what has been going on with Snapchat these last few days and then go back and check your own code.