Anonymous hackers have claimed to use the reported Snapchat API exploit to compile a database of 4.6 million Snapchat usernames and their associated phone numbers and geographical regions. The site, SnapchatDB.info, offers the information as a SQL database dump (reportedly 40MB) or as a CSV file. Instructions on the pages say, “You are downloading 4.6 million users’ phone number information, along with their usernames. People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with.”
Don't Miss: The Best HDR TVs
It is clear that the hackers are trying to prod Snapchat to acknowledge the severity of their security holes and make the needed patches. They claim that the database “contains username and phone number pairs of a vast majority of the Snapchat users.” They used the security exploits documented last week by Gibson Security that Snapchat “dismissed.” SnapchatDB claims that this information “is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
In order to not make the information too useful to black hat hackers, the last two digits of the phone numbers have been blurred out (redacted) “in order to minimize spam and abuse.” The hackers, however, make it clear that they may release the uncensored database somehow in the future. “Under certain circumstances, we may agree to release it,” they write.
It’s hard to know how exactly to feel about all of this. Snapchat’s security is indeed lax, even by social media startup standards. This certainly is not the way a company that refused an offer of $3 billion should be behaving. On the other hand, Alex Clemmer, a hacker with a keen understanding of the internals of Snapchat cautioned, in comments on Hacker News, ”The Snapchat API is fundamentally insecurable as it exists today. The problem is not that Snapchat could have secured their API against unauthorized access and simply failed to do so, it’s that their API cannot possibly be secured, AND they happened to make some bad mistakes along the way. Even a serious security team would have been unable to lock everything down. They might have locked some of these issues down, but they would not have gotten all of them.”
The line between alerting the public, as Gibson Security and the programmers behind SnapchatDB have, and actually facilitating malevolent hacking is thin. Security experts routinely embarrass companies with substandard practices as a way of demonstrating their own skill and value as consultants. But why didn’t Snapchat take this more seriously?
I have a theory. Last week there was a big story about how Facebook was “dead and buried” because teens didn’t want to be on a service that their parents had moved into. Now, when it comes to security, the parents care a lot more than the kids. Could Snapchat be playing fast and loose with the security of their user data as a way of scaring away the grownups?
This would be a clever ploy but for one damning fact. A large share of Snapchats users are minor children. Could anyone, from the CEO of Snapchat to the perpetrators of SnapchatDB really think that risking the broadcasting of the phone numbers of 12-year-old girls and boys is a risk worth taking? 2013 may have been Snapchat’s year, but I think that they and their security critics need to take a long, hard look at their own selfies and figure this out.
– – – – – – – – – – – – – – – – – – – –
Don't Miss: The Best HDR TVs