Hackers have published what they claim is a database of 4.6 million Snapchat users, with phone numbers matched to usernames. The hack could be a huge blow to the self-deleting messaging service, one of whose major selling points is its supposedly ‘discreet’ nature.
Sky News described how “worried users” are searching the database, published by unknown attackers on a website hosted in Panama. The apps offered self-deleting messages, and may have appealed to users with something to hide. The numbers published all come from America, Sky reports.
Gibson Security, the Australian security researchers who uncovered the vulnerability – published months before the hack – likened Snapchat’s approach to security to a restaurant which spent, “millions on decoration, but barely anything on cleanliness.”
The site, which offers a service where users send pictures which are visible for only a few seconds, had previously ignored warnings from Gibson Security claiming they were ‘theoretical’, according to The Register’s report. The Register described Snapchat’s post as a “red rag to a bull”.
Gibson said in a blog post that the vulnerability arises from the Find Friends feature – and claimed that the service had not acted on a previous post, dating from August, which detailed vulnerabilities in the site’s Android app. The researchers – who describe themselves as ‘poor students’ – now offer a page which allows users to check if their number is among those leaked.
Veteran computer security analyst Graham Clulely says that the nature of Snapchat itself poses particular security risks. “It’s possible that you have been flirting with someone via Snapchat that you *didn’t* want to have access to your phone number,” he writes on his blog. “Snapchat, you will remember, is designed to let you send a sexy snap that is only supposed to be viewable for a few seconds before it is destroyed).”
“An obvious concern is that many people on the internet adopt the same username on multiple services, perhaps making it easy for unauthorised parties to determine the private phone numbers of – say – Twitter or Facebook users.”
In a statement emailed to TechCrunch, the researchers said, “Even now the exploit persists. It is still possible to scrape this data on a large scale. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case.”
Snapchat had dismissed Gibson’s earlier claims in a blog post, saying, “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
These measures appear to have been less than successful – and the numbers published on SnapchatDB appear to be legitimate, according to TechCrunch, “It’s real–at least one member of our editorial team has been affected. A reader also told us he found his own number, that of several friends and Snapchat founder Evan Spiegel in the list.”
Gibson Security said in their post, “Given that it’s been around four months since our last Snapchat release, we figured we’d do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them).”
The researchers were also highly critical of Snapchat’s approach to the issue, saying, “In the time since our previous release, there have been numerous public Snapchat api clients created on GitHub. Thankfully, Snapchat are too busy declining ridiculously high offers from Facebook and Google, and lying to investors (hint: they have no way to tell the genders of their users, see /bq/register for a lack of gender specification) to send unlawful code takedown requests to all the developers involved.”
Gibson published the exploit on their site on Christmas Eve. The numbers and addresses were published on SnapChat DB, a site created on December 31, and registered in Panama, according to The Next Web.
TechCrunch had previously criticized Snapchat for downplaying the risks, and not offering enough detail, saying, “The vagueness could keep the new barriers from being evaded, but doesn’t offer much comfort to users.”
Author Rob Waugh, We Live Security