Following the event of the last few days, Snapchat is not willing to risk any further leakage.
Snapchat has released an official post about the recent leak of 4.6M usernames and phone numbers from its servers. The post blames what it says was ‘abuse’ of its API on the leak, but acknowledges that the way that it stores the information made it possible for a database of numbers to be used to sniff out usernames and match them up. Changes will be made to both Snapchat’s apps and the service in order to prevent future leaks including being able to opt out of the Find Friends feature that uses phone numbers. Snapchat says that it was notified of the possible security risk (publicly) in August and took some steps to correct it including limiting the speed at which its API could be queried. In what is one of the most cringe-worthy security moves in recent memory, Snapchat posted a response late last month to claims of risk that outlined just how a hacker might be able to match usernames to phone numbers. In the post, they said “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.” That is exactly what the group behind the leaked SnapchatDB.info database says that they did. The result was a trove of 4.6M Snapchat accounts matched up with usernames and phone numbers. Despite partially redacted phone numbers and usernames, matched conveniently in an online repository, Snapchat says that “no other information, including Snaps, was leaked or accessed in these attacks.” Notably, Snapchat’s public response to this hacking does not include an apology of any sort to its users who have had their user names or phone numbers publicly exposed. Perhaps its an effort to avoid an admission of guilt, but it still feels like a bad effort. The person(s) responsible for releasing the names and numbers told Techcrunch that “raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.” The group says that they were following the research of Gibson Security, who gave a detailed account of how such an exploit could be accomplished to ZDNet in late December. The researches came forward after they say that they approached Snapchat and got no response from them on the matter. Snapchat’s statement today appears to confirm that its reverse engineered API was used to obtain the user info. As our own Josh Constine mentioned about this issue late last month, Snapchat’s first mistake was to not take the efforts of ‘white hat’ hackers seriously. If Gibson Security did indeed approach Snapchat far in advance of going public, their revelations should have been taken seriously and acted on with vigor. Snapchat’s first blog post on the issue in December acknowledged the potential vulnerability publicly and noted that some countermeasures had been put into place. But, in the same breath, it noted that there was still a method that could be used to accomplish this kind of leak. Yet it didn’t fix it. Now, Snapchat says that it will add an opt-out to its apps which will allow people to choose not to appear in the Find Friends feature after they’ve used their phone number for verification purposes. It says it is also ‘improving’ the rate limiting it used to throttle API requests previously and adding ‘other restrictions’ to address future attempts to abuse the service.
Here’s the full post from Snapchat: