Just two short weeks after as many as 40 million debit and credit cards were compromised in Target’s massive security breach, 4.6 million usernames and phone numbers were leaked from self-destructing photo and video app Snapchat’s servers via its Find Friends feature. The group behind the hack, which uploaded the information to SnapchatDB.info, claims to have reverse-engineered detailed research Australian firm Gibson Security provided ZDNet days before. According to Gibson Security, they only made the information public after being ignored by Snapchat all the way back in August.
“Snapchat can limit the speed someone can do this, but until they rewrite the feature, they’re vulnerable. They’ve had four months, if they can’t rewrite ten lines of code in that time they should fire their development team. This exploit wouldn’t have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app),” Gibson Security told ZDNet on Christmas.
Much of the coverage today has focused on the unapologetic nature and leadership of 23-year-old Snapchat CEO and co-founder Evan Spiegel. The leadership team for the app, which was founded on the principle of user privacy, seems to have no regard for it whatsoever. One on hand, the lack of leadership and responsibility could render Snapchat, which was valued at $4 billion just a month ago, obsolete. On the other hand, most of the Snapchat community might not care or remain completely oblivious since no photos or videos were leaked.
What do you think of Snapchat’s response? Too laid-back or appropriate? Would acknowledging their mistakes make them look weak or responsible?
Here’s the full blog post they issued earlier in response to the hack:
Find Friends Abuse
When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: firstname.lastname@example.org.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.