Feeds

Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?

Hey Mr Bull, meet my friend Red Rag

Internet Security Threat Report 2014

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical.

A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have been released by the miscreants through a site called SnapchatDB.

The Snapchat app is designed to allow users to send photos that are only supposed to be viewable for a few seconds before they are automatically deleted. A flaw in a feature of the photosharing app, originally designed to allow users to locate their friends on Snapchat through their name and phone number, emerged last week.

As previously reported, Australian security outfit Gibson Security explained how to access any phone number and username from the smartphone photo-sharing service to underline its concerns.

There was no limit on how many lookups someone could carry out each minute, a shortcoming that made it possible to do a brute force attack. In response, Snapchat put out an advisory dismissing the lack of rate-limiting as no great concern:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Describing a vulnerability as “theoretical” is the net security equivalent of waving a red flag at a bull. Sure enough, hackers picked up the implied challenge to prove Snapchat wrong. The "additional counter-measures" and "safeguards" came too late to prevent third-party hackers from lifting the usernames and number of millions of users of the smartphone app. Snapchat has yet to confirm the leak, but the contents of the database look authentic, so caution is advised.

Gibson Security only went public with its discovery last week months after it discovered the problem in August 2013 after growing increasingly frustrated by Snapchat's perceived lack of action on the security hole. The third-party hackers behind the breach are offering to share full details of the leak under unspecified conditions:

This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it. For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Commentary on the security implications of the incident can be found in blog posts by Graham Cluley (here) and Paul Ducklin on the Sophos Naked Security blog here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.