On New Year’s Day, the website SnapchatDB.info released the usernames and redacted phone numbers of 4.6 million U.S. Snapchat users. Months earlier, an Australian security outfit called Gibson Security published a thorough account of the security vulnerabilities plaguing the company.
The identity of those behind Gibson Security is unknown—the group appears to be little more than a moniker used by three hacker friends in Australia—but a member of the group responded to questions via email. He says that he and his friends have no formal training or qualifications, and are currently students. They are in no way affiliated with SnapchatDB, and don’t condone that entity’s release of user information. “But with Snapchat responding like it is,” my anonymous source writes, “it might be the wake up call it needs.”
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
Gibson released their initial report on August 27th last year. Snapchat didn’t respond until December 28th, three days after Gibson released a more thorough, updated account of the app’s security vulnerabilities. Via email, Micah Schaffer, director of operations at Snapchat, apologized for being difficult to contact and promised Gibson that they have an open line. “I replied and said they should have a email@example.com address, and that their current attempt at patching the vulnerability proves useless, and that we’d be glad to help. We’re still waiting on a response,” the Gibson member writes.
In blog post published this evening, the company announced that it has, in fact, created the email address Gibson suggested. Hackers can now notify the company about vulnerabilities at firstname.lastname@example.org. The company also says that it will improve rate limiting, a practice that will restrict the number of phone numbers a user can upload in a given time, to deter the type of attack used by SnapchatDB. It will also allow users opt out of the Find Friends feature.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.
Gibson Security pointed out the same vulnerability in its title="Gibson Snapchat hack">December 25th post, explaining that hackers could easily and cheaply upload millions of phone numbers in a matter of hours. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z’s) in approximately 7 minutes on a gigabit line on a virtual server,” the group explained. With further refinements, Gibson claims that hackers could easily upload nearly 7,000 numbers per minute, or 10 million per day. The company’s implementation of improved rate limiting will hopefully make such a scenario more difficult.
Both Snapchat and SnapchatDB did not immediately respond to requests for comment.