Back in December, unknown hackers who call themseles Snapchat DB published a list of phone numbers and user names of 4.6 million Snapchat users. The popular serie responded to the hacker’s attack with a statement explaining what happened.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the service said in its statement.
“We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data,” Snapchat added.
“Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.”
As Reuters writes, the service was first alerted to the vulnerability this summer by a security group Gibson Security. The company ingored the warning, prompting Gibson Security to sent one more message.
“Given that it’s been around four months since our last Snapchat release, we figured we’d do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them),” Gibson wrote on the Gibson Security website.
Snapchat since asured that it updated its system so it become more resistant to the weaknesses, but the company also published a blog post downplaying the threat as “theoretical” on December 27.
The service’s incredible popularity among teens and young users has made it one of the most closely watched social media companies in the world, and social networking site Facebook reportedly offered $3 billion last year, but Snapchat declined to sign the deal.
Snapchat requires its new users to upload their phone number so that their friends can find them on the service. The phone numbers were not attached to any real names.
A phone number is “not as bad as password or magnetic strip information, but it’s the piece of the puzzle that criminals need to impersonate identities,” Gartner security analyst Avivah Litan said in a phone call.
Christopher Soghoian, principal technologist with the American Civil Liberties Union, agreed with the colleague.
“The main problem was that they ignored a responsible report by security researchers,” he said, adding that his concern is not with the specific database of information that was released, but that Snapchat has “demonstrated a cavalier attitude about privacy and security.”
“This probably won’t be the last problem with Snapchat,” Soghoian added. Internet giants like Microsoft and Google actively court security researchers and even pay bounties for people to expose flaws in their systems.
“Snapchat may be too small to pay bounties, but they certainly should be treating researchers with respect and addressing issues as soon as they are told about them,” the specialist concluded.