Filed under: News


The Hackers Who Revealed Snapchat's Security Flaws Received One Response From The Company...Four Months Later

Jan 2 2014, 6:51pm CST | by

The Hackers Who Revealed Snapchat's Security Flaws Received One Response From The Company...Four Months Later
Photo Credit: Forbes

On New Year’s Day, the website released the usernames and redacted phone numbers of 4.6 million U.S. Snapchat users. Months earlier, an Australian security outfit called Gibson Security published a thorough account of the security vulnerabilities plaguing the company.

The identity of those behind Gibson Security is unknown—the group appears to be little more than a moniker used by three hacker friends in Australia—but a member of the group responded to questions via email. He says that he and his friends have no formal training or qualifications, and are currently students. They are in no way affiliated with SnapchatDB, and don’t condone that entity’s release of user information. “But with Snapchat responding like it is,” my anonymous source writes, “it might be the wake up call it needs.”

The identity of SnapchatDB is also unknown but the group or person told TechCrunch that the hack was in direct response to the Gibson report and Snapchat’s nonchalant reaction:

Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

Gibson released their initial report on August 27th last year. Snapchat didn’t respond until December 28th, three days after Gibson released a more thorough, updated account of the app’s security vulnerabilities. Via email, Micah Schaffer, director of operations at Snapchat, apologized for being difficult to contact and promised Gibson that they have an open line. “I replied and said they should have a address, and that their current attempt at patching the vulnerability proves useless, and that we’d be glad to help. We’re still waiting on a response,” the Gibson member writes.

In blog post published this evening, the company announced that it has, in fact, created the email address Gibson suggested. Hackers can now notify the company about vulnerabilities at The company also says that it will improve rate limiting, a practice that will restrict the number of phone numbers a user can upload in a given time, to deter the type of attack used by SnapchatDB. It will also allow users opt out of the Find Friends feature.

But Snapchat’s first public acknowledgement of the vulnerabilities outlined the exact scenario it is now confronting. In a blog post published the day before Schaffer’s email, the company writes:

Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book…

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.

Gibson Security pointed out the same vulnerability in its December 25th post, explaining that hackers could easily and cheaply upload millions of phone numbers in a matter of hours. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server,” the group explained. With further refinements, Gibson claims that hackers could easily upload nearly 7,000 numbers per minute, or 10 million per day. The company’s implementation of improved rate limiting will hopefully make such a scenario more difficult.

Both Snapchat and SnapchatDB did not immediately respond to requests for comment.

Follow me @JJColao and on Facebook.

Source: Forbes

You Might Also Like


Shopping Deals


<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




blog comments powered by Disqus

Latest stories

Judy Greer Celebrates her Planet of the Apes Wedding
Judy Greer Celebrates her Planet of the Apes Wedding
Judy Greer celebrated her Planet of the Apes-themed wedding. She is to appear in Dawn of the Planet of the Apes soon.
Emotient&#039;s Sentiment Analysis app.for Google Glass
Emotient's Sentiment Analysis app for Google Glass
The app lets you know what people around you are feeling
Retirement Plans that get translated into Reality
Retirement Plans: Tips for Choosing a Retirement Plan
When a middle aged couple makes retirement plans, they want to make sure that they get translated into reality. That is exactly what this article will allow you to accomplish.
Mila Kunis and Ashton Kutcher back home after their Louisiana getaway
Mila Kunis and Ashton Kutcher back home after their Louisiana getaway
The couple was spotted at the LAX airport and Mila Kunis had modestly clothed her baby bump

The Hottest Photos of Victoria's Secret Fashion Show 2013


Viral Stories the Web