- CDC graphic warns most facial hair isn’t compatible with coronavirus protection measures Today 1:31 PM
- Tutoring website refuses to take down ad sexualizing Asian women Today 1:24 PM
- MSNBC pundit loses air time after saying Sanders staffers are ‘island of misfit Black girls’ Today 12:36 PM
- Court says YouTube isn’t subject to First Amendment scrutiny Today 11:06 AM
- Russian models are Instagramming life in Wuhan Today 11:00 AM
- Hillary Duff suggests ‘Lizzie McGuire’ revival was halted over adult storylines Today 10:37 AM
- Arrest warrant issued for 8chan founder Today 10:22 AM
- This YouTube time traveler says he’s a cyborg from 2050—and he wants you to buy merch Today 10:11 AM
- Women on Twitter are slaying the ‘Bad b*tch for a week’ challenge Today 9:30 AM
- Reddit’s CEO issues a dire warning about TikTok Today 9:03 AM
- ‘Star Trek: Picard’ episode 6 recap: ‘The Impossible Box’ Today 8:00 AM
- Faculty from over 100 schools join call for facial recognition ban Today 7:48 AM
- Ava DuVernay is making a sci-fi series for Amazon Today 6:50 AM
- Review: ‘Altered Carbon’ returns with an overcomplicated second season Today 6:00 AM
- Mike Pence, who fueled HIV outbreak, is now in charge of coronavirus outbreak Wednesday 9:15 PM
Hackers may have just exposed entire database of Snapchat usernames
In the latest Snapchat security issue…
Any company that can afford to turn down $3 billion dollar buyouts is having a very good year, and by most measures that matter for startups, disappearing-photo messaging service Snapchat is having a very good year. The “disappearing”-sharing app is picking up followers faster than a charismatic cult leader. What looked like it might be a novel digital toy for teens is now widely considered an ascendant social network—the next Facebook, the next Twitter, the next thing to make investors see dollar sign upon dollar sign.
But a company that hooks users in by offering a feeling of intimacy has a lot to lose if users decide it can’t be trusted—and it looks like Snapchat users have a new reason to worry.
Australian hacker team Gibson Security published functional code and developer hooks that let anyone infiltrate Snapchat after the messaging service ignored the hackers’ previous attempts to point out security breaches. In a forward published on its website, the GibSec team justified their hack by noting it had been four months since they last pointed out security issues and that “nothing had been really improved upon.”
GibSec released what they call a “full disclosure.” This means that anyone can technically create a clone of Snapchat’s API now, which can be used to track the company’s user base. Which means Snapchat should listen up.
ZDNet’s Violet Blue corresponded with the GibSec team about their decision to publish. The team discovered two separate potentially exploitative scripts: the “Find Friends” exploit and the “Bulk Registration” exploit. For “Find Friends,” the hackers say they can take a list of script-generated phone numbers and obtain “the Snapchat username of anyone with a number in that range.” So, basically, you can find anyone’s Snapchat username based on their phone number. This can help spammers locate active accounts; it can also get lying cheating cheaters with secret Snapchat names in trouble.
The hackers say Snapchat has known about it for around four months—and their team (self-described as poor students with no stable income, scrounging for Bitcoin online) was able to unveil 10,000 phone numbers in seven minutes. GibSec estimates that it would take just 26.2 hours to crunch through all of Snapchat’s numbers. (That was assuming all the numbers were from the U.S., which they aren’t, so it would take longer… but still.)
The “Bulk Registration” exploit is a way to mass-register accounts, as the name suggests. It’s not quite as fecund a hack for malevolence as “Find Friends” but it underlines Snapchat’s lax attitude toward security; a platform of its size and popularity should have a better buffer. And it’s not a matter of these scripts being so complex they evade detection; GibSec told ZDNet they could’ve fixed these issues with 10 lines of code.
It might take some mediating to get past the whole “publishing all the code” thing, but Snapchat should probably just hire GibSec to pay attention to their security lapses, because no one seems to be doing it over there.
Kate Knibbs is a notable tech reporter and pop culture essayist. A former staff writer for the Daily Dot, her work has appeared in Gizmodo, the Ringer, AV Club, Digital Trends, Popular Mechanics, and Time.