Snapchat, under pressure after hackers discovered a way to access and store the user information of its millions of subscribers, has chosen to downplay and ignore the possibility. The photo messaging app has become very popular with teens who are deserting Facebook in order to use an app their parents do not. The Snapchat app is used by approximately up to 40 million unique visitors, with a reported 400 million “snaps” daily.
Snapchat allows users to share videos, drawings and photos with friends. Its most distinguishing feature is the ability for users to set a time limit after which the content sent is permanently deleted and cannot be viewed again.
According to the Gibson Security Firm, which is composed of anonymous computer hackers, they notified Snapchat of the security vulnerability in August. Since then, the app has been updated to include new features, but an update addressing the security vulnerability had not been made and the issue has gone unaddressed. The security hole exploits the “find_friends” feature of Snapchat, which makes it possible for users to search for friends who also use the app by entering their phone numbers. By exploiting the faulty code, hackers could upload legions of phone numbers onto Snapchat’s servers, which would then match them to user accounts, user names and the security preference. Accounts set to “private” are also vulnerable.
The information obtained could be uploaded to a black market online database where buyers would pay to obtain the information listed on an individual or bulk of accounts. The purchase could be highly valuable to stalkers or identity thieves. In addition, the contact information could be sold in bulk to marketers or others who could exploit the info. Considering that Facebook offered to buy Snapchat for $3 billion in November, the value of its user database is high, which makes it more valuable to those who would sell the information for profit.
According to Gibson, the issue could have been easily repaired with only 10 lines of code. The code would add a limit to the rate at which users could be looked up by phone number. Currently, they estimate that it would take only 27 hours to run all of the phone numbers in the United States through the Snapchat user rolls.
Another flaw found by Gibson is the ability to automate a process of mass registration for the application, which would allow hackers the ability to create a vast number of false user accounts within a small amount of time.
Gibson, based in Australia, is frustrated with Snapchat ignoring the possibility of its users information being hacked. The security group published online the code which makes it possible to upload phone numbers and match them to users. This action forced Snapchat to respond via a blog post today in which they disregard the security problem, saying that although it might be possible to upload phone numbers in order to find users to match, the phone numbers are not visible to other users and cannot be used to look up user names. This, states Snapchat, makes it highly unlikely that the app’s address book feature could be exploited. Snapchat, it seems, has decided to ignore the possibility completely, although they acknowledge steps have been taken to make it more difficult for hackers to gain user information.
By Jennifer Pfalz