After weeks of controversy surrounding user security concerns, ephemeral-messaging service Snapchat responded to allegations of hacking on Thursday, promising an update to its mobile application that may assuage the ire of upset users.
In December, an Australian security firm detailed a vulnerability in Snapchat’s application programming interface that effectively allowed savvy outsiders to connect Snapchat account names to telephone numbers. Shortly after the disclosure, an anonymous group did exactly that; around 5 million user names and phone numbers were searchable through the tool the hacker group built.
After days of radio silence, Snapchat responded:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number,” the company said in a blog post. “We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
In its current implementation, Snapchat’s app allows new users to find their friends also on the service by matching user names to cellphone address books. It has become a commonplace practice over the past few years — a simple way to jumpstart growth and engagement on a new app service by making more connections between friends.
Snapchat was dismissive of the security firm’s original findings, effectively waving off concerns in a blog post. Four days later, the loophole was exploited.
Some things to note here: The anonymous group that built the exploit tool has positioned itself as a group of “white hat” hackers, pointing out vulnerabilities so that companies will end up fixing them. In its statement on Thursday, Snapchat didn’t see it that way, painting the group as “attackers.” Make of that what you will.
More importantly, Snapchat will allow people to opt out of being found via the Find Friends address book tool in a forthcoming app update. That could have implications for Snapchat’s ability to continue growing as quickly — especially under its current spotlight of media attention and Silicon Valley hype. At one point, Snapchat also allowed newcomers the ability to find their Facebook friends who use the app, though that functionality has been removed.
In addition, the company announced a new venue for outsiders to report security vulnerabilities in the future, via an email alias at firstname.lastname@example.org.
Snapchat made clear in its statement that “no other information, including Snaps, was leaked or accessed.”