Did You Know?



Reply
YegorP
Posts: 684
Topics: 237
Kudos: 610
Registered: ‎02-15-2012

Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

[ Edited ]

According to a PCWorld article from earlier this morning, researchers from computer security research group Gibson Security have discovered (and published a proof-of-concept code for) a vulnerability in Snapchat that could potentially give hackers the ability to quickly find user phone numbers through abusing the legitimate 'find_friends' feature of the Snapchat API.

 

Snapchat, a popular photo messaging and sharing app, is best known for giving users the ability to allot a time period for the photos they send. Once the user that views the Snapchat message, the picture is automatically deleted after that specified time period is up.

 

Gibson Security actually revealed the vulnerability back in August, but on December 25, the researchers finally decided to release two exploits (the aforementioned "find_friends" as well as a separate issue) because they said Snapchat failed to fix the issues in those four months. So what did they do?

 

"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers). We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z's - in approximately 7 minutes on a gigabyte line ona virtual server."


The researchers went on to say that they estimate that at least 5000 numbers could be tested in a minute and that in one month, an attacker could fly through around 292 million numbers...on a single server.

 

Snapchat wasn't immediately available for comment, according to PCWorld. You can read the full article by clicking the aforementioned link.

 

Snapchat Security Issue.jpg

 

(Source: Google Images)

 

 Jasper_The_Rasper also posted about this vulnerability (with links to another article as well as the aforementioned proof-of-concept) here on the Community forums. 

--Yegor P--
Social Media Content Coordinator

New to the Community? Sign up for FREE today.
Please use plain text.
YegorP
Posts: 684
Topics: 237
Kudos: 610
Registered: ‎02-15-2012

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

The Snapchat hack drama continues...

 

Two days after hackers leaked 4.6 million usernames and phone numbers , Snapchat finally responded and confirmed (via a blog post) the leak, according to a recent VentureBeat article. While the delay is understood (the info was leaked on New Year's Eve and New Year's Day is a holiday), the more pressing issue is the company's lack of an apology. Here is part of their response:


"We acknowledged in a blog post last Friday that is was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks."


A researcher from Gibson Security (the group who discovered the vulnerability) says that he believes that the troubling issue here is that Snapchat isn't taking the warning seriously, likely believing it to be nothing more than a theoretical bug rather than a legitimate security vulnerability, which it clearly is. The hackers who released the database that exposed the usernames and phone numbers are also frustrated, claiming that the point of releasing that database was to make Snapchat aware and to patch the vulnerabilities.

 

However, while Gibson Security sees why the hackers carried out the attack on Snapchat, they believe they took it too far and are not sure if their motivation was 'genuine', saying they could have "at least censored more of the phone numbers." Gibson also made a tool available on their website to help users see if they were affected.

 

You can read the full story by clicking the aforementioned link.

 

Snapchat user database leak.jpg

(Source: VentureBeat)

 

 

--Yegor P--
Social Media Content Coordinator

New to the Community? Sign up for FREE today.
Please use plain text.
New Member
layman2003
Posts: 1
Registered: ‎10-10-2013

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

how do you confirm if your account info was listed?
Please use plain text.
DavidP1970
Posts: 3,143
Kudos: 1,589
Registered: ‎10-28-2012

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

Hello layman2003 and welcome to the Webroot Community!

 

That is an excellent question, and I have not seen anything posted regarding that either.  Here is a link to the entire Blog article that Snapchat posted regarding this issue.  I didn't see anything in the article that would answer the question, but I might have missed it.

 

What I DID see however, was an email address at the end of the 5th paragraph that they invite users to use to report potential vulnerabilities.  I would suggest using that email address as a starting point in attempting to contact them regarding this one.



      

New to the Community? Register now and start posting!



Helpful Webroot Links:


Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   



"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"
WSA-Complete (Beta Tester), Toshiba Satellite L305, Intel Pentium Dual CPU at 1.87 GHz, 3 GB RAM With Windows 7 (x86) (Yes its old.. but it still usually works! : )
Please use plain text.
Community Leader
Jasper_The_Rasper
Posts: 1,042
Registered: ‎06-12-2013

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

Hi layman2003.

If you take a look at this article Hackers Stole Millions Of Phone Numbers And Usernames From Snapchat — Here's How To See If You're OK

 

"Last night, hackers posted a database of 4.6 million Snapchat usernames and phone numbers online.

The database appears to have been taken down in the past few hours.

To check if your phone number or Snapchat user name was exposed, you can use this site."

 

I hope you find that useful.

 

JtR

Community Leader

Please use plain text.
DavidP1970
Posts: 3,143
Kudos: 1,589
Registered: ‎10-28-2012

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

Thank you Jasper!

 

I knew I had seen a site link for that somewhere!



      

New to the Community? Register now and start posting!



Helpful Webroot Links:


Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   



"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"
WSA-Complete (Beta Tester), Toshiba Satellite L305, Intel Pentium Dual CPU at 1.87 GHz, 3 GB RAM With Windows 7 (x86) (Yes its old.. but it still usually works! : )
Please use plain text.
Community Leader
Jasper_The_Rasper
Posts: 1,042
Registered: ‎06-12-2013

Re: Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

Your welcome David. :smileywink:

Community Leader

Please use plain text.