It took just a week for someone to take advantage of the full disclosure of several (at the time) unpatched Snapchat vulnerabilities, and the result is a published list of 4.6 million username and phone number matches.
Snapchat is an extremely popular photo messaging app / service that bases its success on making photos and messages “self-destruct” a few seconds after being viewed by the recipient.
Security researchers have long had a problem with it, claiming it gives a false sense of security to the users as it cannot guarantee that the recipient won’t make a screenshot of the received message and, thus, manage to keep it and misuse it.
But the latest trouble does not stem from this particular problem – it came about after a group of researchers chose to publicly disclose details about several Snaptchat vulnerabilities they discovered in August.
Initially, they contacted the company and shared that information with them, in the hopes that it will react promptly and fix the holes in a reasonable amount of time.
Some four months later the holes are still there, claimed the anonymous researchers who go by the name of Gibson Security, and they decided to force the company’s hand by sharing the vulnerability information and proof-of-concept exploit code with the public.
One of the vulnerabilities allows (registered) attackers to use the Snapchat API to look up a seemingly unlimited number of phone numbers in order to discover whether those phone users are also using Snapchat. As the users’ usernames are tied to the phone number, the flaw allows the compilation of a huge database that can be misused for spamming, stalking, etc.
Last week, Snapchat dismissed the attack as theoretical, but an unknown individual or group of people proved them wrong on Wednesday, when a list of 4.6 million usernames and phone numbers of Snaptchat users was made available for download on the aptly-named Snapchatdb.info domain.
The site was soon shut down, but not before the list was downloaded and widely shared online.
“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” they confirmed in a notice posted on the now-defunct site.
“The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
Luckily, the person or group decided to censor the last two digits of the phone numbers in order to minimize spam and abuse, but have also said that, “under certain circumstances”, they are willing to disclose the uncensored database.
The Gibson Security team helpfully offered a lookup tool that Snapchat users can use to see if their username and phone number have been compromised in the breach, and advice on what to do if it was.
In the meantime, let’s hope that Snapchat is working on fixing all the disclosed security flaws.