The photo messaging application Snapchat, which allows users to post images, video and text on a time limited basis to a group of recipient users, has been hacked. The attraction of Snapchat, apart from not being Facebook and therefore somewhere teenagers can meet online without their parents having a clue about it, is in the 'Mission Impossible' nature of the service: your photo will self-destruct in 10 seconds. Well sort of, as users set the time limit up to 10 seconds that the snap will be viewable to the receiving group, after which they can no longer see it and Snapchat deletes the item from the servers. This kind of discrete time-limited approach has appealed to many, leading them to send perhaps more risque images than they would otherwise, certainly stuff of a more personal nature as their confidence is boosted by the self-destructive feel of security it provides. It is, let's be honest, a magnet for online flirts. It is also less than apologetic after being hacked, apparently preferring to play the blame game.
Of course, what isn't deleted from the Snapchat servers are the usernames and phone numbers of people using the app. And now hackers have apparently successfully downloaded some 4.6 million of them into a database which was made available for anyone to access online. The SnapchatDB site made the data available, but censored the last two digits of the numbers which suggests that maybe this was more a case of a warning shot across the bows of Snapchat to sort its security out rather than a malicious endeavour. The fact that the database was only available online for a limited period would also suggest this is a possibility, although only time will tell. Of course savvy Internet users can easily go find the data via the cached copies of the site that are out there and only a fool would think that those with more sinister motives would not have sucked the data off into their own databases while it was out there.
The hack itself is of concern because it would seem that Snapchat pretty much ignored warnings from the highly respected Gibson Security company in Australia which had posted warnings about vulnerabilities in the Snapchat app just days before the hacking took place. The SnapchatDB hackers have stated that they used a modified version of the published Gibson Security methodology in order to successfully exploit the vulnerabilities. Admittedly the timing of the vulnerability publication could have been better, coming as it did on Xmas Day. That said, although the Gibson Security report was published on the 25th December I understand that Gibosn first informed Snapchat of the potential dangers some four months previously and the company claimed these to be 'theoretical' and as a result it seems the company did little to address them in any meaningful way.
Gibson Security has put up a website, GS Lookup which allows users to enter their Snapchat username and be informed if their data was included in the published SnapchatDB leak. From what I understand, the majority of impacted users were based in the US.
Snapchat has now said that a new version of the app, with an opt-out option for the problematical Find Friends feature (which was used in the exploit). However, unlike other organisations which have suffered large-scale breaches, Snapchat appears to be less than apologetic to its users which is very disappointing indeed. Instead it seems to be blaming Gibson Security. Here's the full statement that appears on the Snapchat blog about the incident:
When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: firstname.lastname@example.org.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.