backtop


Print 13 comment(s) - last by Argon18.. on Jan 6 at 12:51 AM

A site called SnapchatDB.info wants Snapchat to address its security flaws

Snapchat got a huge security wake-up call to the tune of 4.6 million accounts being posted and made available for download.

According to TechCrunch, a site called SnapchatDB.info stored usernames and phone numbers for 4.6 million Snapchat accounts. Some believed this was just a hoax in an effort to call Snapchat out on its security, but the hack has been confirmed as the real deal. 

But the intention was still the same: SnapchatDB.info wanted Snapchat to realize its security flaws and fix it. 

"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," said SnapchatDB.info. "It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does."

SnapchatDB obtained the information through an identified and patched Snapchat exploit. The domain was created just yesterday.


[SOURCE: threatpost.com]

Gibson Security researchers originally let Snapchat know about the potential for hackers to connect usernames and phone numbers in its database, but Snapchat ignored the warning. Gibson Security then published it publicly on Christmas Eve. 

"We used a modified version of gibsonsec’s exploit/method," said SnapchatDB.info. "Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent."

Here's what Snapchat has to say:

“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.”

Source: TechCrunch



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Vigilante *$$*#**!#s
By purerice on 1/1/2014 1:07:18 PM , Rating: 2
quote:
Gibson Security researchers originally let Snapchat know about the potential for hackers to connect usernames and phone numbers in its database, but Snapchat ignored the warning. Gibson Security then published it publicly on Christmas Eve.


1, how long did they give them?
2, why on Christmas Eve?
3, even if the service "ignored" them, why punish the users?

of these, 3 seems the worst. It would have been much nicer to the users to give them a public warning because it seems like they were in the dark until their privacy was publicly violated on Christmas, probably exposed on the net for several days before they realized. I have never heard of SnapChat and likely will never use it, but if you want to be a vigilante against abusive organizations, don't "punish" them by re-abusing the very people you are upset at the company for abusing in the first place.




RE: Vigilante *$$*#**!#s
By ritualm on 1/1/2014 1:32:06 PM , Rating: 5
Trust is a very high value commodity. It needs to be taken seriously. Snapchat thought otherwise.

The developers of Snapchat had 4-5 months to fix the vulnerability. They did nothing.

Security researchers told them that such an attack can happen against Snapchat, and published how it can be done. They did nothing.

Unfortunately, the only way to make them get off their butts and fix those vulnerabilities is to make that threat real. Now Snapchat has breached the trust of millions of users by doing nothing - many of them will leave, and never return.


RE: Vigilante *$$*#**!#s
By Argon18 on 1/6/2014 12:51:23 AM , Rating: 2
"Snapchat has breached the trust of millions of users by doing nothing - many of them will leave, and never return."

Meh, memories are short and many IT products are security turds (look at Microsoft Windows) yet people continue to buy and use them anyways.

Not to mention that mainstream media doesn't pick up on something as geeky and mundane as software security exploits. So just as most Microsoft users are oblivious to the glaring unfixed flaws, so too are the majority of Snapchat users.


RE: Vigilante *$$*#**!#s
By ritualm on 1/1/2014 9:40:12 PM , Rating: 3
To add more fuel to the fire - the following is copy-pasted directly from Snapchat. Tiffany only posted a portion of it.

http://blog.snapchat.com/post/71353347590/finding-...
quote:
Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.

This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.

Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Happy Snapping!

If you're a hacker, what does such a blog post sound like?

1) Snapchat has fixed its vulnerabilities so such an exploit will not affect its services; or
2) Snapchat says "Do it. We bet you can't pull this off."

The response to that blog post turned out to be "Challenge accepted".

Consider that Mark Zuckerberg offered a cool $3-billion in cold hard cash to buy Snapchat. Its founder and boss, Evan Spiegel, refused because he thought the company was worth more than $3B.

Well, Snapchat got pwned. Its millions of users are likely to stop trusting Spiegel & Co. to safeguard their private data. In other words, Snapchat is done - because its owners are stupid.


RE: Vigilante *$$*#**!#s
By Flunk on 1/2/2014 9:24:46 AM , Rating: 2
Seriously, that post basically admits their flaw and says they're not going to fix it. That's the stupidest thing they could possibly post. They should have immediately removed this "feature" or limited it to only displaying the top 3 accounts any time it was used to limit exposure.

They basically explained exactly how to extract the data in their posting. Not only that the method is very easy, anyone with even cursory knowledge of the subject could dump that database in a few hours.

This doesn't mean I condone what's happened, but Snapchat themselves is equally at fault for not taking any steps to remove this feature or fix the security flaws.


RE: Vigilante *$$*#**!#s
By jimbojimbo on 1/2/2014 11:35:34 AM , Rating: 2
Really I think "In other words, Snapchat isn't done - because its users are stupid."
Not to say they all are but a lot are and they don't really care.


Snapchat Who?
By Monkey's Uncle on 1/1/2014 1:35:31 PM , Rating: 4
Frankly this is the first time I ever heard of them.




RE: Snapchat Who?
By SPOOFE on 1/1/2014 4:04:59 PM , Rating: 2
Buncha frat boys hoping to get booby pics from "betches".


RE: Snapchat Who?
By Alexvrb on 1/1/2014 9:44:14 PM , Rating: 2
Well actually, the basic idea behind Snapchat is pretty good. In practice? Not so much. But anyway, I would consider using such a service if it was more secure. You could send silly pictures to friends and family to make them laugh, without having to worry about them getting plastered across Instagram, FB, etc.

But again, that's just in theory. There are 3rd party Snapchat apps that cheat and save the image silently (you can use screengrabs with the stock app but that warns the other user). Then there's this security debacle. Basically if it seems too good to be true it probably is.


RE: Snapchat Who?
By Spuke on 1/2/2014 12:02:09 AM , Rating: 2
Great, I just joined this morning.


RE: Snapchat Who?
By Flunk on 1/2/2014 9:26:19 AM , Rating: 2
You can just raid the cache of the stock app too because it doesn't work properly. Snapchat's security has a lot of holes in it. The whole thing seems to have been written quickly and sloppily in a basement somewhere.


RE: Snapchat Who?
By Alexvrb on 1/2/2014 9:28:38 PM , Rating: 2
That sounds about right. Great concept, really horrible execution.


Interview
By stefanvetter on 1/1/2014 1:48:46 PM , Rating: 1
Also have a look at my recent interview with the Snapchat hackers: http://ste.ve.tt/1g0PDCL




"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki