Latest News: Technology |  Celebrity |  Movies |  Apple |  Cars |  Business |  Sports |  TV Shows |  Geek

Trending

Filed under: News

 

The Hackers Who Revealed Snapchat's Security Flaws Received One Response From The Company...Four Months Later

Jan 2 2014, 6:51pm CST | by

The Hackers Who Revealed Snapchat's Security Flaws Received One Response From The Company...Four Months Later

Photo Credit: Forbes
 
 

On New Year’s Day, the website SnapchatDB.info released the usernames and redacted phone numbers of 4.6 million U.S. Snapchat users. Months earlier, an Australian security outfit called Gibson Security published a thorough account of the security vulnerabilities plaguing the company.

The identity of those behind Gibson Security is unknown—the group appears to be little more than a moniker used by three hacker friends in Australia—but a member of the group responded to questions via email. He says that he and his friends have no formal training or qualifications, and are currently students. They are in no way affiliated with SnapchatDB, and don’t condone that entity’s release of user information. “But with Snapchat responding like it is,” my anonymous source writes, “it might be the wake up call it needs.”

The identity of SnapchatDB is also unknown but the group or person told TechCrunch that the hack was in direct response to the Gibson report and Snapchat’s nonchalant reaction:

Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

Gibson released their initial report on August 27th last year. Snapchat didn’t respond until December 28th, three days after Gibson released a more thorough, updated account of the app’s security vulnerabilities. Via email, Micah Schaffer, director of operations at Snapchat, apologized for being difficult to contact and promised Gibson that they have an open line. “I replied and said they should have a security@snapchat.com address, and that their current attempt at patching the vulnerability proves useless, and that we’d be glad to help. We’re still waiting on a response,” the Gibson member writes.

In blog post published this evening, the company announced that it has, in fact, created the email address Gibson suggested. Hackers can now notify the company about vulnerabilities at security@snapchat.com. The company also says that it will improve rate limiting, a practice that will restrict the number of phone numbers a user can upload in a given time, to deter the type of attack used by SnapchatDB. It will also allow users opt out of the Find Friends feature.

But Snapchat’s first public acknowledgement of the vulnerabilities outlined the exact scenario it is now confronting. In a blog post published the day before Schaffer’s email, the company writes:

Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book…

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.

Gibson Security pointed out the same vulnerability in its title="Gibson Snapchat hack">December 25th post, explaining that hackers could easily and cheaply upload millions of phone numbers in a matter of hours. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server,” the group explained. With further refinements, Gibson claims that hackers could easily upload nearly 7,000 numbers per minute, or 10 million per day. The company’s implementation of improved rate limiting will hopefully make such a scenario more difficult.

Both Snapchat and SnapchatDB did not immediately respond to requests for comment.

Follow me @JJColao and on Facebook.

Source: Forbes

iPad Air Giveaway. Win a free iPad Air.

You Might Also Like

Updates

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Apple&#039;s first wearable to debut next month, says report
Apple's first wearable to debut next month, says report
Apple's smartwatch will tap on the nifty capabilities of HealthKit, its health and fitness platform, as well as HomeKit, a software for the connected home.
 
 
Dallas Cowboys 'Facing an Uphill Battle,' Per Jerry Jones
Dallas Cowboys Facing 'An Uphill Battle,' Per Jerry Jones
Dallas Cowboys owner Jerry Jones told the media on Aug. 27 that the team will be "facing an uphill battle" during the 2014 NFL season.
 
 
Karrueche Tran Under Fire for Blue Ivy Comments
Karrueche Tran Under Fire for Blue Ivy Comments
Beyoncé fans are upset with Karrueche.
 
 
Bill Hader Thinks Justin Bieber Is Worst &quot;SNL&quot; Of All Time
Bill Hader Thinks Justin Bieber Is Worst "SNL" Host of All Time
Not the first time he's mentioned his dislike for the pop star.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.