A week ago the Gibson Security research team published details about two major security flaws in Snapchat, one of which could potentially allow hackers to mass collect phone numbers from Snapchat users. Just yesterday it came to light that a group of hackers calling themselves SnapchatDB had followed the ‘instructions’ posted by the security team and had subsequently managed to leak 4.6 million partially redacted phone numbers, all in a move designed to bring attention to unfixed Snapchat’s security issues.
So what exactly made this ‘hack’ possible? Basically the exploit took advantage of Snapchat’s “Find Friends” feature. The feature is designed to make it possible to find friends via a phone number, but hackers can also use this to their advantage. SnapchatDB was able to upload a bunch of random numbers to see if any of them matched Snapchat accounts, creating a list of numbers that could then theoretically be sold to third parties for spamming and other purposes.
Using the exploit, SnapchatDB was able to upload a bunch of random numbers to see if any of them matched Snapchat accounts.
As you can imagine, this has created a lot of concern about the security of Snapchat in general. Sure these particular hackers didn’t sell the numbers or anything, but next time things could be different.
On the bright side, Snapchat has since responded and says they are preparing an updated version of Snapchat that will allow users to opt out of appearing in Find Friends. They will also be “improving rate limiting and other restrictions to address future attempts to abuse our service.”
Interestingly enough, Snapchat has never directly apologized for the issue in the first place, though they have made it clear that information about any future security issues should be promptly sent to “Security@snapchat.com”.
What do you think of the whole number leaking debacle? Does this leak negatively affect your opinion of Snapchat, or do you think the media is making a bigger deal out of this then they should? Let us know what you think in the comments.