Yesterday, its football team lost to Michigan State in the Rose Bowl. At halftime its band formed the silhouette of a ghost with its tongue sticking out – a reference to Snapchat, which was founded by alums. Sadly, those founders had little time to appreciate the shout-out because they’ve likely been busy trying to weather a privacy storm.
If you haven’t yet seen the CNN, USA Today, or TechCrunch headlines, Australian hackers Gibson Security disclosed two exploits in the Snapchat app. Snapchat is the sixth most downloaded free app of 2013 in the Apple AppStore, ahead of Instagram, Twitter and Facebook, and was downloaded more than 10 million times within Google Play alone. So losing 4.6 million usernames and phone numbers represents a significant share of its US user base.
So what drove these hackers to publish Snapchat’s iOS and Android APIs and the two exploits? Apparently Gibson Security originally notified Snapchat in August about the vulnerabilities and grew frustrated when the exploits weren’t patched after four months.
According to an email correspondence with ZDNet, Gibson Security explained:
“[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they’re vulnerable. They’ve had four months, if they can’t rewrite ten lines of code in that time they should fire their development team. This exploit wouldn’t have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app).”
The 4.6 million usernames and phone numbers were posted yesterday on a site called SnapchatDB.info (now a suspended domain), which explained to TechCrunch:
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”
So how will this impact Snapchat’s user satisfaction levels? Probably not significantly. Snapchat’s Android and iOS apps are currently rated a 43 and 48 in Applause Analytics, respectively. Somewhat predictably, security is its lowest rated attribute with identical 24s across both platforms.
Let’s hope this disclosure drives a change in development and testing practices. As of this morning, Snapchat lists 5 open positions but none security- or testing-oriented.