Snapchat Security Hole Could Allow for Easy Access to User Phone Numbers

  • 27 December 2013
  • 6 replies
  • 8 views

Userlevel 7
According to a Jasper_The_Rasper also posted about this vulnerability (with links to another article as well as the aforementioned proof-of-concept) here on the Community forums. 

6 replies

Userlevel 7
The Snapchat hack drama continues...
 
Two days after hackers leaked 4.6 million usernames and phone numbers , Snapchat finally responded and confirmed (via a blog post) the leak, according to a recent VentureBeat article. While the delay is understood (the info was leaked on New Year's Eve and New Year's Day is a holiday), the more pressing issue is the company's lack of an apology. Here is part of their response:

"We acknowledged in a blog post last Friday that is was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks."


A researcher from Gibson Security (the group who discovered the vulnerability) says that he believes that the troubling issue here is that Snapchat isn't taking the warning seriously, likely believing it to be nothing more than a theoretical bug rather than a legitimate security vulnerability, which it clearly is. The hackers who released the database that exposed the usernames and phone numbers are also frustrated, claiming that the point of releasing that database was to make Snapchat aware and to patch the vulnerabilities.

 
However, while Gibson Security sees why the hackers carried out the attack on Snapchat, they believe they took it too far and are not sure if their motivation was 'genuine', saying they could have "at least censored more of the phone numbers." Gibson also made a tool available on their website to help users see if they were affected.

 
You can read the full story by clicking the aforementioned link.

 



(Source: VentureBeat)

 
 
how do you confirm if your account info was listed?
Userlevel 7
Hello layman2003 and welcome to the Webroot Community!
 
That is an excellent question, and I have not seen anything posted regarding that either.  Here is a link to the entire Blog article that Snapchat posted regarding this issue.  I didn't see anything in the article that would answer the question, but I might have missed it.
 
What I DID see however, was an email address at the end of the 5th paragraph that they invite users to use to report potential vulnerabilities.  I would suggest using that email address as a starting point in attempting to contact them regarding this one.
Userlevel 7
Badge +54
Hi layman2003.
If you take a look at this article Hackers Stole Millions Of Phone Numbers And Usernames From Snapchat — Here's How To See If You're OK
 
"Last night, hackers posted a database of 4.6 million Snapchat usernames and phone numbers online.

The database appears to have been taken down in the past few hours.

To check if your phone number or Snapchat user name was exposed, you can use this site."
 
I hope you find that useful.
 
JtR
Userlevel 7
Thank you Jasper!
 
I knew I had seen a site link for that somewhere!
Userlevel 7
Badge +54
Your welcome David. 😉

Reply