Feeds

Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?

Hey Mr Bull, meet my friend Red Rag

High performance access to file storage

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical.

A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) - purportedly of Snapchat users - have been released by the miscreants through a site called SnapchatDB.

The Snapchat app is designed to allow users to send photos that are only supposed to be viewable for a few seconds before they are automatically deleted. A flaw in a feature of the photosharing app, originally designed to allow users to locate their friends on Snapchat through their name and phone number, emerged last week.

As previously reported, Australian security outfit Gibson Security explained how to access any phone number and username from the smartphone photo-sharing service to underline its concerns.

There was no limit on how many lookups someone could carry out each minute, a shortcoming that made it possible to do a brute force attack. In response, Snapchat put out an advisory dismissing the lack of rate-limiting as no great concern:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Describing a vulnerability as “theoretical” is the net security equivalent of waving a red flag at a bull. Sure enough, hackers picked up the implied challenge to prove Snapchat wrong. The "additional counter-measures" and "safeguards" came too late to prevent third-party hackers from lifting the usernames and number of millions of users of the smartphone app. Snapchat has yet to confirm the leak, but the contents of the database look authentic, so caution is advised.

Gibson Security only went public with its discovery last week months after it discovered the problem in August 2013 after growing increasingly frustrated by Snapchat's perceived lack of action on the security hole. The third-party hackers behind the breach are offering to share full details of the leak under unspecified conditions:

This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it. For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Commentary on the security implications of the incident can be found in blog posts by Graham Cluley (here) and Paul Ducklin on the Sophos Naked Security blog here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Oz bank in comedy Heartbleed blog FAIL
Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.