On Christmas Eve, Gibson Security sent out a tweet containing Snapchat's API and a pair of exploits for the site. This now allows anyone to copy the API and go after the app's 8 million users. Gibson also claims that the metadata can be used with other APIs to "automatically build profiles about users, which could be sold for a lot of money."
The Find Friends exploit, takes a range of phone numbers and matches it up with Snapchat usernames. The Bulk Registration Exploit allows someone to bombard the site with new registrations. Both were known to Snapchat for four months, according to Gibson, and could have been closed with ten lines of code. By reverse-engineering the iOS and Android version of the app, Gibson found the security gaps. Besides this, the company says that Snapchat is not telling the truth when it claims that its users are 70% female.
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do."-Snapchat
Snapchat has released a brief statement saying that it has added safeguards and barriers over the years to prevent an exploit like Find Friends from matching Snapchat usernames with phone numbers. Even if there is nothing to Gibson Security's claims, it should be interesting to see if even the slightest hint of a security breach will negatively affect the value of Snapchat. Wonder if Snapchat wishes that they had accepted Google's money.
Gibson's Christmas Eve tweet revealed the exploits
source: @GibsonSec, ZDNet via TechCrunch