One good thing to come from the leak of usernames and phone numbers of some 4.6 million Snapchat users is that the company is now forced to patch the exploited vulnerabilities.
As a reminder, the group behind the breach and the leak have (mis)used the Snapchat API to look up a seemingly unlimited number of phone numbers and usernames, and have been able to do so because of Snapchat’s Find Friends function and the practically non-existent rate-limiting.
“We were able to query for the information as fast as our connection allowed us to,” the group explained to NYT reporters, and that was after Snapchat claimed to have “implemented various safeguards to make [bulk phone number recovery and matching with usernames] more difficult to do” and that the attack described by Gibson Security was “theoretical.”
This statement was obviously what spurred the group of researchers to compile the list and make it public, in order to prove that the company has been reckless with user information.
In a blog post published on Tuesday, Snapchat makes no mention of the “theoretical attack” nor does it offer an apology to the users.
“We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames,” they state, adding that no other information apart from the partially redacted phone numbers and usernames was leaked or accessed in the attacks.
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number,” they added. “We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
They also invited security researchers to notify them about any similar security vulnerabilities they may find via a dedicated email address, which means they probably didn’t have one before.
All in all, I expect this non-apology to rile up quite a few hackers. Perhaps Snapchat higher-ups should consider finally investing in security.