Around 4.6 million Snapchat users have had their usernames and associated phone numbers exposed online after a group of anonymous hackers took advantage of a recently disclosed software security vulnerability.
Researchers at Gibson Security published a proof of concept exploit for the vulnerability, noting that their efforts to disclose the issue to the photo messaging service had gone unanswered. Using the exploit, an attack could use the app's "Find Friends" feature to generate a list of phone numbers of users in the Snapchat database, whether or not the account is private. A separate weakness in the program could be used to quickly register thousands of accounts, which could be used for spam.
Both the "Find Friends" exploit and the "Bulk Registration" exploit published by Gibson take advantage of Snapchat's failure to use rate limiting, meaning that someone who wanted to do so could use a virtual server to quickly run registration or friend-finding functions en masse. By the company's calculations, it would be possible to pull every Snapchat user's phone number in around 20 hours with a single virtual server.
In an email to ZDNet, Gibson noted that the issue could be fixed with 10 lines of code and justified the public disclosure by noting Snapchat's repeated decisions to ignore security researchers, explaining that the company had been notified of the flaw in August. The security researchers also highlighted their concern that the exploit could be used for stalking.
Responding to the disclosure
Snapchat addressed the disclosure in a blog post claiming that it is generally happy to work with security researchers and downplaying the significance of the flaw. Some people have already taken advantage of the flaw. A website called SnapchatDB.info recently published a database of 4.6 million usernames and associated numbers (with the last two digits redacted), explaining that it was sharing the data to "raise awareness." On Jan. 2, the company issued a second statement noting that it would be updating the app to allow users to opt out of the Find Friends feature after verifying their phone numbers.
"We're also improving rate limiting and other restrictions to address future attempts to abuse our service," the company added.
While the actual damage that occurred is likely limited, the vulnerability underscores the importance of companies limiting abuses of their APIs by writing controls into their code. Using tools such as source code analysis, developers can identify potential areas for abuse in the code before it is released, helping them protect their users.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.