Hackers posted 4.6 million names and phone numbers of users of the Snapchat photosharing site online on Tuesday on a website called SnapchatDB.info, according to Mashable.com. It was possible to download the entire database of names and phone numbers as either a CSV file or a SQL dump, though the website is is currently unavailable, because it has been suspended. According to NakedSecurity.com, though, a cached version of the website is still available to view.
When it was up, a statement at the SnapchatDB site said that the information could be used to learn phone number information for social media accounts like Twitter and Facebook or just to figure out the phone numbers of individuals you “wish to get in touch with.”
How did hackers access the Snapchat database?
The hackers accessed the Snapchat database of usernames and phone numbers by using a Snapchat API exploit that was recently published. Their claim is that they’re acting in the inerests of the public good, and wanted to “raise the public awareness around the issue” and also have the public put “pressure on Snapchat to get this exploit fixed.”
Supposedly, the hackers just would like to see Snapchat pay closer attention to security issues, and they’d like “to see that Snapchat patches the exploit.” The hackers added that they believe that Snapchat “will be targeted by other groups if they don’t safeguard user security.”
The Snapchat hackers somewhat considerately didn’t post the last two digits of the 4.6 million phone numbers. However, in a statement they released, they said that they might “release their uncensored database ‘under certain circumstances.'”
They deliberately suspended their SnapchatDB site because it was “overwhelmed” by public response. They have no plans to put the site back up. However, the hackers, in a statement to the Mashable.com site, said that they had stored the uncensored Snapchat database “in multiple locations.” Also, torrents and mirrors of the database can be easily found online.
The Snapchat hackers used a modified version of a Gibson Security exploit published just last week to commit the attack on Tuesday. Australian-based Gibson Security published two exploits and Snapchat’s API, but they said that they were not involved in the attack.
Soon after Gibson Security pointed out Snapchat’s vulnerability to someone creating such a database, Snapchat released a statement that expressed a blaise attitude. While Snapchat admitted that it was “theoretically” possible to create such a database, they added “various safeguards” and “additional counter-measures” to prevent anyone from obtaining a database like that.
However, whatever improvements that Snapchat might have made were not sufficient to deter the hackers from getting the 4.6 million names and phone numbers. They said that they were compelled to hack into the Snapchat database because Snapchat didn’t do what was necessary “to secure user data.”
What part of Snapchat’s site did the hackers exploit?
The people who hacked into the Snapchat site exploited a vulnerability in the site’s find_friends interface. This interface is supposed to allow Snapchat users to locate friends who also use the photosharing services Snapchat provides, if you know their phone numbers and names.
A part of the problem that arises with services like this is that when you discover a name does match up with a phone number, the phone number is verified.
Usually, the potential risk is managed by having a rate limit in place that restricts the amount of searches you can do. Then, if you don’t have any idea what a person’s phone number actually is to begin with, the rate limit prevents you from guessing until you hit on the correct phone number.
The Snapchat hackers said that the photosharing site left off any rate limit. This vulnerability enabled any computer to figure out the correct phone number within two minutes. Supposing that hackers have access to 1000 infected PCs on home-user ADSL lines, they could search through an entire North American area code in less than an hour.
The hackers have stated that anyone who would like to see the uncensored version of the database should “Feel free” to contact them. If the circumstances are right, they added, “we may agree to release it.”
Written by: Douglas Cobb