Snapchat grudgingly admits your username could 'theoretically' be exposed
Snapchat’s most recent blog post addresses the recent security hole exposed by hacker collective Gibson Security. Kind of. “We recently added additional counter-measures and continue to make improvements to combat spam and abuse,” the app’s blog post reads. Unfortunately many questions and much skepticism remain.
Gibson Security’s “Find Friends” exploit outlines how to match Snapchat users with their phone numbers, something Snapchat does not allow. In other words, if you input your phone number so friends can find you on Snapchat, you were leaving yourself open to having your number and your username linked together, and opening yourself up to spam (and potential ridicule)… until this problem was fixed.
Snapchat described how this “Find Friends” exploit could expose every user’s phone number, but it wasn’t exactly a mea culpa. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” the blog post admits. But the team didn’t go into detail about what kind of counter-measures they implemented, or acknowledge Gibson Security’s role in bringing this issue to light (this isn’t the first time the Australian hacker group has pointed out Snapchat’s security problems, either).
Daily Dot talked to Gibson Security via email after the team published its findings, and they noted that Snapchat did not reach out to them as of the day of the blog post (December 27). It’s strange that a social network would ignore the people exposing their security problems, but certainly not unprecedented; you may recall the time a hacker actually broke into Mark Zuckerberg’s personal Facebook wall to complain about a bug after earlier attempts to communicate failed.
Snapchat updates its blog sparingly; often, the posts are remarkably thoughtful reflections from house researcher Nathan Jurgenson. Sometimes the team responds to controversy, as it did last May after ways to resurrect snaps were discovered. But the company is reticent when it comes to addressing complaints, and this instance appears no different—Snapchat did not respond to Daily Dot’s request for comment on this blog post or when news of the security issues first broke. Since the team hasn’t elaborated, it’s unclear exactly how Snapchat has safeguarded itself against the “Find Friends” exploit—or if it took 10 lines of code, as Gibson Security said it would.
Publishing the exploits might’ve been a bit of a grey hat act on Gibson Security’s part, but it exposed a very real security flaw, even though Snapchat’s trying to minimize it by characterizing the issue as something confined to the theoretical. Snapchat’s decision to privilege intimacy and private sharing has been a refreshing antidote to the data aggregating philosophies of some of the other popular social apps, and it’s disappointing that the company’s progressive thinking doesn’t extend to its treatment of hackers.
Photo via The Ithacan/Flickr