12-27-2013 11:05 AM
A security hole in popular photo messaging service Snapchat could allow attackers to find the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.
The researchers published proof-of-concept code that abuses a legitimate feature of the Snapchat API (application programming interface) called "find_friends" to iterate through a large number of phone numbers and match them to Snapchat accounts.
Gibson Security first revealed this vulnerability in August, along with some other issues it found after reverse engineering the Snapchat API, the protocol used by Snapchat clients for Android and iOS to communicate with the company's servers.
Snapchat is a popular messaging application that also allows users to share photos, videos and drawings. It's best known for its photo self-destruct feature, where senders can specify a time period of a few seconds after which a picture viewed by the recipient is automatically deleted.
The Gibson Security researchers decided to release two exploits on Dec. 25 for the "find_friends" issue and a separate issue, because according to them, the company failed to fix the problems during the past four months.