Snapchat Fumbles the Privacy of 4.6 Million Accounts

stanford_band_snapchatIt hasn’t been a great start to the new year for Stanford.

Yesterday, its football team lost to Michigan State in the Rose Bowl. At halftime its band formed the silhouette of a ghost with its tongue sticking out – a reference to Snapchat, which was founded by alums. Sadly, those founders had little time to appreciate the shout-out because they’ve likely been busy trying to weather a privacy storm.

If you haven’t yet seen the CNN, USA Today, or TechCrunch headlines, Australian hackers Gibson Security disclosed two exploits in the Snapchat app. Snapchat is the sixth most downloaded free app of 2013 in the Apple AppStore, ahead of Instagram, Twitter and Facebook, and was downloaded more than 10 million times within Google Play alone. So losing 4.6 million usernames and phone numbers represents a significant share of its US user base.

So what drove these hackers to publish Snapchat’s iOS and Android APIs and the two exploits? Apparently Gibson Security originally notified Snapchat in August about the vulnerabilities and grew frustrated when the exploits weren’t patched after four months.

According to an email correspondence with ZDNet, Gibson Security explained:

“[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they’re vulnerable. They’ve had four months, if they can’t rewrite ten lines of code in that time they should fire their development team. This exploit wouldn’t have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app).”

The 4.6 million usernames and phone numbers were posted yesterday on a site called SnapchatDB.info (now a suspended domain), which explained to TechCrunch:

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”

So how will this impact Snapchat’s user satisfaction levels? Probably not significantly. Snapchat’s Android and iOS apps are currently rated a 43 and 48 in Applause Analytics, respectively. Somewhat predictably, security is its lowest rated attribute with identical 24s across both platforms.

Let’s hope this disclosure drives a change in development and testing practices. As of this morning, Snapchat lists 5 open positions but none security- or testing-oriented.

Comments

Trackbacks

  1. […] The first widely-publicized issue happened early this year. Gibson Security uncovered two security exploits that allowed them to siphon user data from Snapchat. They reportedly notified the app maker about the issue but when nothing was done about the problem months later the hackers decided to demonstrate just how dire the issue was … by leaking 4.6 million user names and phone numbers. […]

Leave a Reply