Any company that can afford to turn down $3 billion dollar buyouts is having a very good year, and by most measures that matter for startups, disappearing-photo messaging service Snapchat is having a very good year. The “disappearing”-sharing app is picking up followers faster than a charismatic cult leader. What looked like it might be a novel digital toy for teens is now widely considered an ascendant social network—the next Facebook, the next Twitter, the next thing to make investors see dollar sign upon dollar sign.
But a company that hooks users in by offering a feeling of intimacy has a lot to lose if users decide it can’t be trusted—and it looks like Snapchat users have a new reason to worry.
Australian hacker team Gibson Security published functional code and developer hooks that let anyone infiltrate Snapchat after the messaging service ignored the hackers’ previous attempts to point out security breaches. In a forward published on its website, the GibSec team justified their hack by noting it had been four months since they last pointed out security issues and that “nothing had been really improved upon.”
GibSec released what they call a “full disclosure.” This means that anyone can technically create a clone of Snapchat’s API now, which can be used to track the company’s user base. Which means Snapchat should listen up.
ZDNet’s Violet Blue corresponded with the GibSec team about their decision to publish. The team discovered two separate potentially exploitative scripts: the “Find Friends” exploit and the “Bulk Registration” exploit. For “Find Friends,” the hackers say they can take a list of script-generated phone numbers and obtain “the Snapchat username of anyone with a number in that range.” So, basically, you can find anyone’s Snapchat username based on their phone number. This can help spammers locate active accounts; it can also get lying cheating cheaters with secret Snapchat names in trouble.
The hackers say Snapchat has known about it for around four months—and their team (self-described as poor students with no stable income, scrounging for Bitcoin online) was able to unveil 10,000 phone numbers in seven minutes. GibSec estimates that it would take just 26.2 hours to crunch through all of Snapchat’s numbers. (That was assuming all the numbers were from the U.S., which they aren’t, so it would take longer… but still.)
The “Bulk Registration” exploit is a way to mass-register accounts, as the name suggests. It’s not quite as fecund a hack for malevolence as “Find Friends” but it underlines Snapchat’s lax attitude toward security; a platform of its size and popularity should have a better buffer. And it’s not a matter of these scripts being so complex they evade detection; GibSec told ZDNet they could’ve fixed these issues with 10 lines of code.
It might take some mediating to get past the whole “publishing all the code” thing, but Snapchat should probably just hire GibSec to pay attention to their security lapses, because no one seems to be doing it over there.