This article was published on January 1, 2014

Confirmed: Hackers exploit Snapchat’s security hole, leak 4.6m usernames and phone numbers online


Confirmed: Hackers exploit Snapchat’s security hole, leak 4.6m usernames and phone numbers online

If you’re a Snapchat user, then you might be interested to know that someone may have found a way to save the usernames and phone numbers for 4.6 million accounts. The website SnapchatDB.info allows anyone to simply grab either as a SQL dump or a CSV text file information that the creators claim was acquired through “the recently patched Snapchat exploit”.

Update 1:  We’ve received confirmation from the creators of SnapchatDB saying that the response to the Gibson Security report was not enough. The site is run by a group of security researchers and claim that they have no malicious intent. However, it did have this to say about Snapchat:

Snapchat’s response to gibsonsec was simply not enough. When communicated privately, Snapchat disregarded the submission and didn’t even implement rate limiting. Gibsonsec’s full disclosure doesn’t work as-is anymore. But it still does with very minor modifications. Millions of people are trusting Snapchat with their private data and if Snapchat doesn’t care enough to implement something as simple as rate limiting, we think the public needs to know how reckless they are.

Update 2: Developers Will Smidlein and Robbie Trencheny say they’ve set up a checker script that allows anyone to look to see if their account was included in the leak.

Although claiming that the stolen database was meant to raise awareness of Snapchat’s security hole, SnapchatDB’s creators say that they’ve “censored the last two digits of the phone numbers” in an effort to “minimize spam and abuse”. But the alleged generosity has its limits as there’s still a possibility that the unfiltered data could be released, affecting millions.

We did a quick WHOIS lookup on SnapchatDB’s domain and it was created on December 31. Although the registrant name is protected, the mailing address and contact number is listed as being in Panama. How genuine the information is in this database remains in question — it has not been authenticated yet by Snapchat. This could certainly all be an elaborate hoax taking advantage of the recent issues the ephemeral messaging service has had.

We’ve reached out to Snapchat and the creators of SnapchatDB for comment and will update if we hear back.

As noted in Hacker News, those that attempt to download the database may encounter some difficulties due to traffic congestion or perhaps the files are incomplete. Whatever the issue is, it’s unknown how many people are actually receiving the complete and edited dataset.

In December, Australia-based Gibson Security published a report highlighting two exploits in Snapchat claiming that hackers could easily gain access to users’ personal data. It’s said that user’s names, aliases, and phone numbers could be gathered through the service’s Android and iOS API.

Snapchat has since responded to the Gibson report, saying:

Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

While the purpose of this website is apparently to cause Snapchat to move further in closing its security gap and also to prove the company wrong in its response, one must wonder whether this is the right thing to do — exposing individual account information in this manner could be considered to be a tad extreme, even something of this magnitude.

Hat-tip to @MadLid

 

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with