Snapchat has released an official post about the recent leak of 4.6M usernames and phone numbers from its servers. The post blames what it says was ‘abuse’ of its API on the leak, but acknowledges that the way that it stores the information made it possible for a database of numbers to be used to sniff out usernames and match them up.
Changes will be made to both Snapchat’s apps and the service in order to prevent future leaks including being able to opt out of the Find Friends feature that uses phone numbers.
Snapchat says that it was notified of the possible security risk (publicly) in August and took some steps to correct it including limiting the speed at which its API could be queried. In what is one of the most cringe-worthy security moves in recent memory, Snapchat posted a response late last month to claims of risk that outlined just how a hacker might be able to match usernames to phone numbers.
In the post, they said “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”
That is exactly what the group behind the leaked SnapchatDB.info database says that they did. The result was a trove of 4.6M Snapchat accounts matched up with usernames and phone numbers.
Despite partially redacted phone numbers and usernames, matched conveniently in an online repository, Snapchat says that “no other information, including Snaps, was leaked or accessed in these attacks.”
Notably, Snapchat’s public response to this hacking does not include an apology of any sort to its users who have had their user names or phone numbers publicly exposed. Perhaps it’s an effort to avoid an admission of guilt, but it still feels like a bad effort.
The person(s) responsible for releasing the names and numbers told Techcrunch that their motivation was to “raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”
The group says that they were following the research of Gibson Security, who gave a detailed account of how such an exploit could be accomplished to ZDNet in late December. The researches came forward after they say that they approached Snapchat and got no response from them on the matter. Snapchat’s statement today appears to confirm that its reverse engineered API was used to obtain the user info.
As our own Josh Constine mentioned about this issue late last month, Snapchat’s first mistake was to not take the efforts of ‘white hat’ hackers seriously. If Gibson Security did indeed approach Snapchat far in advance of going public, their revelations should have been taken seriously and acted on with vigor.
Snapchat’s first blog post on the issue in December acknowledged the potential vulnerability publicly and noted that some countermeasures had been put into place. But, in the same breath, it noted that there was still a method that could be used to accomplish this kind of leak. Yet it didn’t fix it.
Now, Snapchat says that it will add an opt-out to its apps which will allow people to choose not to appear in the Find Friends feature after they’ve used their phone number for verification purposes. It says it is also ‘improving’ the rate limiting it used to throttle API requests previously and adding ‘other restrictions’ to address future attempts to abuse the service.
Here’s the full post from Snapchat:
When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: firstname.lastname@example.org.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.
Image Credit: Daniel Brusilovsky