Snapchat’s inner circle probably had a rougher New Year’s hangover than most, seeing as 4.6 million accounts were compromised on January 1. The security breach happened after an Australian hacking collective called Gibson Security published a detailed account of a gap in Snapchat’s security system. Gibson Security called this the “Find Friends exploit” since it could potentially unveil Snapchat user phone numbers using the Find Friends feature. Snapchat published a blog post addressing the exploit, but didn’t boost security enough to prevent the actual information hack, which was carried out by an anonymous group running a website called SnapchatDB.
Snapchat acknowledged Gibson Security’s efforts (but didn’t bother to name the group) in another blog post today, and provided a dedicated email address for security issues, which is a start.
Too bad Gibson Security is still the organization that has actually done something to help people who have been hacked in this instance, creating a database that allows people to look up whether their accounts get hacked. I checked mine and was clear, but you might not be so lucky. And while Snapchat is doing the right thing by responding to this hack and taking measures to diminish chances of abuse, the company should’ve linked to the Gibson Security tool if it truly wanted to be considerate to its fans. Additionally, the wording of the blog post makes it sound like this problem isn’t going to be totally fixed.
Look at the improvements Snapchat says it’s going to make:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
OK, the second part sounds good, albeit incredibly vague to the point of meaninglessness. As for the first part, an opt-out option is always appreciated, but it’s weird that Snapchat never mentions fixing this specific vulnerability. It’s almost as if Snapchat, I don’t know, didn’t completely fix it.
Snapchat is a young company and it’s going to have security breaches. All major social networks do. It’s not so troubling that Snapchat messed up and left a gap in security; that was bound to happen. It is troubling that the platform seems so cavalier in its response.
Gibson Security released its own blog post responding to Snapchat’s lukewarm mea culpa, also pointing out that Snapchat never explained if the exploit was fixed. Gibson Security is rightly annoyed at Snapchat’s cold treatment, and next time an exploit is uncovered it may not be uncovered by hackers with good intentions.
Photo via Alexandre Dulaunoy/Flickr