Following security researchers publishing a way to match Snapchat usernames to phone numbers, Snapchat has published a skimpy statement making the hack sound impractical and noting “We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Earlier this week ZDNet published an in-depth write-up of how white-hat Gibson Security researchers had tried to notify Snapchat of a way hackers could connect usernames to phone numbers for use in stalking, but were ignored. The GibSec team then published the exploit publicly on Christmas Eve. Read ZDNet’s post for full details on how the hack works.
Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.” It goes on to note it’s added more barriers to the use of this hack.
There are no details on how these countermeasures work, such as rate limiting, bad IP blocking, or automated systems that scan suspicious activity that may be someone trying to match names and numbers. The vagueness could keep the new barriers from being evaded, but doesn’t offer much comfort to users.
Snapchat correctly stresses there’s no easy way to discover someone’s phone number based on their username or vice-versa. And it explains that the ability to match names and phone numbers on a limited basis is very helpful for users trying to find their friends on the service through their phone’s address book. Still, the company’s statement doesn’t seem very sympathetic to people concerned about their privacy.
Don’t Ignore The White Hats
Snapchat isn’t the only one who’s had security issues around names and phone numbers. In June, a hacker named Brandon Copley downloaded 2.5 million phone numbers from Facebook using a Graph Search exploit that preyed on people who had their phone numbers set as a way to find them through search. Facebook sent Copley a cease-and-desist notice over the situation.
Several tech startups have recently felt the bite of bad PR and worried users after ignoring claims from white-hat security researchers. Facebook’s CEO Mark Zuckerberg had his profile’s wall hacked when a white hat tried to prove his exploit worked after being dismissed by Facebook’s security team. But Facebook at least admitted that it had “failed” in its communication with the researcher and vowed to improve its bug submission and review process.
Snapchat did neither of these in its statement today. The whole situation could have been handled with more tact. Snapchat is a very young startup that’s been thrust into the spotlight recently, though, so some growing pains are to be expected.