Occasionally computer security professionals and other helpful people reach out to us about potential bugs and vulnerabilities in Snapchat. We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.
This week, on Christmas Eve, a security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.
Our Find Friends feature allows users to upload their address book contacts to Snapchat so that we can display the accounts of Snapchatters who match the phone numbers found in the address book. Adding a phone number to your Snapchat account is optional, but it’s helpful for allowing your friends to find you. We don’t display the phone numbers to other users and we don’t support the ability to look up phone numbers based on someone’s username.
Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.
This is so amazing.
Step 1: Security researchers find huge holes in Snapchat (Refresher: Snapchat are the “ephemeral messaging wait what do you mean screenshots exist???” people) API with which you can steal their users phone# and associated user name, Snapchat does nothing, presumably because like most IT companies, they do not give a shit about their users data, they just want to be able to pretend they do.
Step 2: Security researchers eventually post about it and post a proof of concept exploit.
Step 3: Snapchat…. does nothing, writes a blog post detailing how their app is TOTALLY secure and how the security researchers totally cannot do what their exploit that is right there and that you can run actually literally does - i.e. they lie about it and pretend there is no problem when there obviously is one.
Step 3.5: Time passes, somebody presumably runs the exploit code, which as it turns out, works.
Step 4: The phone numbers and associated user IDs of a large part of Snapchats userbase are now on the internet, for anybody who is curious to download! Congratulations, Snapchat: You’re a bunch of fucking assholes! Still no reason to care, though, because consequences for you will be minimal! A shame for your users, though, wouldn’t want to be any of them!
p.s. when do we get a law that penalizes cavalier handling of user data like this? Probably never, because any attempt to pass laws that may actually improve network security but are a bother for companies get shot down real quick!
- yummyskittles87 likes this
- hctr31690 reblogged this from snapchatme
- marie94love likes this
- mavisekiz likes this
- ihaleymartinez likes this
- jaaasey likes this
- engraved-gift likes this
- buy-a-gift likes this
- things-remembereds likes this
- personalized-gifts-pro likes this
- abobishara likes this
- wizmahdi likes this
- lilou714 likes this
- edithigunborxxx123 reblogged this from snapchatme
- saad111929 likes this
- awa53lea3 likes this
- emilycb23 likes this
- youridu93 likes this
- rudy-calmez reblogged this from snapchatme
- jessjoshlove likes this
- donnieho1369 reblogged this from snapchatme and added:
- fourfatasses reblogged this from halcy
- camylleme reblogged this from snapchatme
- dabbekungen likes this
- brooklynn-yolo-13 likes this
- bjorz likes this
- mellow937 reblogged this from snapchatme
- harapandiarpan likes this
- mesodoll reblogged this from halcy and added:
- cmlh reblogged this from snapchatme and added:
- wonder-meathead reblogged this from jessesbizarreventura and added:
- aidabuza likes this
- jessesbizarreventura reblogged this from halcy
- jessesbizarreventura likes this
- emperordweeb likes this
- halcy reblogged this from snapchatme and added:
- gloria1234love reblogged this from snapchatme
- gloria1234love likes this
- jennyfer2901 likes this
- katiekadwell reblogged this from snapchatme
- scotland-broseph reblogged this from snapchatme and added:
- grantstavely reblogged this from snapchatme
- whycanttherebesilence reblogged this from snapchatme
- stevenewton reblogged this from snapchatme
- kari18stuff likes this
- dvaka reblogged this from snapchatme
- dgodj likes this
- sandrahakasfan reblogged this from snapchatme
- sandrahakasfan likes this
- eu502841 reblogged this from snapchatme
Somewhat average だめ人間 masters CS student at University of Karlsruhe who likes to make demos. I enjoy anime, various video games, touhou project, oversized pixels and DnB.
I have an "actual blog" which I use for things that are not fancy images, mostly work/uni/demoscene related: halcy.deAn assortment of cool cats: