Feeds

Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?

Hey Mr Bull, meet my friend Red Rag

Secure remote control for conventional and virtual desktops

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical.

A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have been released by the miscreants through a site called SnapchatDB.

The Snapchat app is designed to allow users to send photos that are only supposed to be viewable for a few seconds before they are automatically deleted. A flaw in a feature of the photosharing app, originally designed to allow users to locate their friends on Snapchat through their name and phone number, emerged last week.

As previously reported, Australian security outfit Gibson Security explained how to access any phone number and username from the smartphone photo-sharing service to underline its concerns.

There was no limit on how many lookups someone could carry out each minute, a shortcoming that made it possible to do a brute force attack. In response, Snapchat put out an advisory dismissing the lack of rate-limiting as no great concern:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Describing a vulnerability as “theoretical” is the net security equivalent of waving a red flag at a bull. Sure enough, hackers picked up the implied challenge to prove Snapchat wrong. The "additional counter-measures" and "safeguards" came too late to prevent third-party hackers from lifting the usernames and number of millions of users of the smartphone app. Snapchat has yet to confirm the leak, but the contents of the database look authentic, so caution is advised.

Gibson Security only went public with its discovery last week months after it discovered the problem in August 2013 after growing increasingly frustrated by Snapchat's perceived lack of action on the security hole. The third-party hackers behind the breach are offering to share full details of the leak under unspecified conditions:

This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it. For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Commentary on the security implications of the incident can be found in blog posts by Graham Cluley (here) and Paul Ducklin on the Sophos Naked Security blog here. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.