Since August, Gibson Security has been trying to warn Snapchat of an exploit that could match the usernames of Snapchat users, with their phone numbers. For a site that has become wildly popular because photo, video and written messages disappear after ten seconds, the hack could be quite painful. The app has become so red hot that the powers that be allegedly turned down $4 billion for the operation from Google. And that was after the last financing round done in June valued the company at just $800 million.
On Christmas Eve, Gibson Security sent out a tweet containing Snapchat's API and a pair of exploits for the site. This now allows anyone to copy the API and go after the app's 8 million users. Gibson also claims that the metadata can be used with other APIs to "automatically build profiles about users, which could be sold for a lot of money."
The Find Friends exploit, takes a range of phone numbers and matches it up with Snapchat usernames. The Bulk Registration Exploit allows someone to bombard the site with new registrations. Both were known to Snapchat for four months, according to Gibson, and could have been closed with ten lines of code. By reverse-engineering the iOS and Android version of the app, Gibson found the security gaps. Besides this, the company says that Snapchat is not telling the truth when it claims that its users are 70% female.
"[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they're vulnerable. They've had four months, if they can't rewrite ten lines of code in that time they should fire their development team. This exploit wouldn't have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app)."-Gibson Security
"Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do."-Snapchat
Snapchat has released a brief statement saying that it has added safeguards and barriers over the years to prevent an exploit like Find Friends from matching Snapchat usernames with phone numbers. Even if there is nothing to Gibson Security's claims, it should be interesting to see if even the slightest hint of a security breach will negatively affect the value of Snapchat. Wonder if Snapchat wishes that they had accepted Google's money.
Gibson's Christmas Eve tweet revealed the exploits
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: