Breach exposes Snapchat security weaknesses

Print
Font Size:
Default font size
Larger font size

Posted: Sunday, January 5, 2014 12:00 am

Even as Snapchat has become the latest Internet darling, daring to reject multibillion-dollar acquisition deals, the young company has masked what some consider to be a dirty little secret: Its security may not be all that different from that of other big messaging services.

That secret was laid bare last week when a group of security researchers exploited a weakness in Snapchat’s systems to snag and post usernames and telephone numbers for 4.6 million Snapchat users.

Snapchat has long marketed itself as a private and more secure alternative to services like Facebook and its subsidiary Instagram. The app lets users send photo and video messages that disappear once they are viewed. That self-destruct feature initially gave the app a reputation as a favorite tool for so-called sexters, or those who send sexually suggestive photos of themselves, but eventually it went mainstream.

As of September, Snapchats users were sending 350 million photos a day, up from 200 million in June. The company continues to hire, has moved to a large, custom-designed office in Venice Beach, Calif., and is well-funded, recently adding $50 million in venture capital funding.

But researchers have long criticized Snapchat, saying it provides a false sense of security. They say the app’s disappearing act is illusory. Behind the scenes, Snapchat stores information about its users in a database, similar to data storage at other big Internet companies.

On Wednesday, security researchers posted the usernames and phone numbers on a site called SnapchatDB.info and made the data available for download.

In an email, the researchers said they were able to snag the data through a vulnerability identified by Gibson Security, a company that privately notified Snapchat of the hole in its system, then, after the notice was ignored, posted the vulnerability online on Christmas Eve.

The hole was later patched. SnapchatDB.info’s researchers said they posted the information because Snapchat was too slow to respond.

In an email, the security researchers behind SnapchatDB.info said they were able to grab Snapchat’s user data from its servers, where it had been stored in clear text.

In an email, one researcher said the data was not being encrypted or “hashed” to make it difficult for hackers to piece together.

“We were able to query for the information as fast as our connection allowed us to,” the researchers added. “Our main goal is to raise public awareness on how reckless many Internet companies are with user information.”

SnapchatDB.info’s researchers said that to protect affected users, they redacted the last two digits of phone numbers but would consider handing over the data in aggregate.

Snapchat addressed the leak as a malicious hack.

“On New Year’s Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks,” the company said in a blog post.

Snapchat said it would release an updated version of its application that would allow users to opt out of the function that lets people search for friends using their phone numbers. The company said it was working to prevent “future attempts to abuse our service.”

Copyright ©2014 Omaha World-Herald. All rights reserved. This material may not be published, broadcast, rewritten, displayed or redistributed for any purpose without permission from the Omaha World-Herald. To purchase rights to republish this article, please contact The World-Herald Store.


SPOTLIGHT »

Inside Business
To submit an announcement for "Inside Business", click here. For questions call (402) 444-1371 or e-mail announcements@owh.com.

World-Herald Alerts

Want to get World-Herald stories sent directly to your home or work computer? Sign up for Omaha.com's News Alerts and you will receive e-mails with the day's top stories.