Recently I posted an article on a couple of serious flaws in the popular photo messaging application Snapchat, Gibson Security revealed that using a couple of exploits known by the name The ‘Find Friends’ exploit and the ‘Bulk Registration’ Exploit it is possible to menace the security and privacy of millions of users.
Snapchat seems have ignored the alerts provided by Gibson Security and today it is possible to read about the consequences of its reckless approach to the user’s security.
A site called SnapchatDB.info was used as web archive for the storage of personal data of 4.6 million accounts including usernames and phone numbers. The stored data were available for download, the privacy of millions users of the application was violated.
SnapchatDB censored the last two digits of the phone numbers to minimize their abuse, but it hasn’t excluded to release the unfiltered data in the future to sensitize the company on user’s security.
I’ve made a rapid search with Whois lookup to discover that the domain was registered a couple of days ago for the specific purpose to disclose the data, of course the registrant’s identity is protected, but its mailing address and contact number are located in Panama.
SnapchatDB managers revealed to have obtained the information exploiting the flaws recently patched, they decided to publish it to convince the managers at Snapchat to consider seriously security of their customers.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does. We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.” confirmed a Snapchat representitive to TechCrunch
In time I’m writing the domain is Snapchat DB is down, anyway if you want to discover is your account was compromised you can verify it on the website of the developer Robbie Trencheny that search for the user’s credentials in the disclosed amount of data.
The problem in my opinion is that there is a lack of awareness of social media users, for the majority of the customer the disclosure of their personal data doesn’t trigger any alert and company providing services know it. Unfortunately, security is perceived by companies as a further cost to reduce and not as a requirement requested by their customers. I hope in the future that every user will consider carefully its online exposure and the ways service providers use its data.
The Gibson Security report and SnapchatDB must teach to unaware users an important lesson, to reduce the impact of a data breach it is necessary that users are also aware of the risks related to wrong habits. Let’s think to the habit to share same credentials among numerous different services, compromising one of them it is possible have complete access to the user’s online identity.
Be aware, cyber criminals know it!
(Security Affairs – SnapChat, hacking)