Privacy lenses pointed at Snapchat
By Paul Ducklin December 31, 2013
- Security experts have laughed at the idea that Snapchat images disappear after viewing
- Hacker group Gibsonsec says there are two vulnerabilities Snapchat has failed to fix since Aug
SNAPCHAT is a hip and happening mobile app, and you’ve probably heard of it, though not necessarily in flattering terms if you are interested in security.
Its primary purpose seems to be to suck you into thinking that it is safe to share risky (or risqué) photos of yourself, provided that you do so via the Snapchat app, rather than via email or a regular photo-sharing service.
That’s because the Snapchat app gives recipients only a few seconds to look at your picture – just long enough for them to mouth the words, “My goodness, look who’s in the background ... that must be ....”
And before they can remember whether it was Monica or Mary (or Daniel or Dave) ...poof! The photo vanishes, and can’t be downloaded or opened again.
But security experts have laughed from Day Zero at the idea that Snapchat images could truly be said to disappear after viewing.
Even Snapchat managed to confuse itself, as we reported earlier this year, making the unlikely claim in Google's Play Store that:
The next sentence, however, boasted that:
In which case, of course, it wouldn’t have disappeared at all, let alone forever.
(As Naked Security asked more than a year ago, “What action are you going to take if you share a photo in confidence, only to discover that someone has chosen to keep a permanent record?”)
So the idea of making an absolute claim about the concept of a message that “disappears forever” was impertinent nonsense from Snapchat to start with.
And that’s before you take into account that:
- You can use a mobile phone to snap a pretty decent snapshot of a snapshot displayed of the screen of a mobile phone, and the sender will be none the wiser.
- When Snapchat was still openly promising disappearing photos, its app wasn’t even trying to delete snapshots from your phone after you viewed them; images were merely renamed so that most (but not all) image viewers would ignore them.
- Snapchat has admitted sharing images with law enforcement – something it must have known it would need to do to comply with regulations – who, we assume, did not delete those photos after they’d been viewed.
- Snapchat's image encryption apparently uses a symmetric cipher with hardwired keys, so any user or server who has intercepted a web request (admittedly an HTTPS-protected one) in which you fetched an image can decode it later at their leisure, no matter whether you or Snapchat want them to.
Snapchat’s liberal attitude to technical accuracy didn’t stop Facebook from offering recently to write a cheque for US$3 billion to buy it outright – with other potential investors apparently thinking of paying US$4 billion for that privilege.
(Even more dramatically, Snapchat’s 23-year-old founder and chief executive officer Evan Spiegel turned up his nose at both offers.)
To be fair, the company has now backed off from its “disappears forever” claims.
The Play Store promotional text now says:
But a new round of criticism has arisen, with a group of hackers who identify themselves only as Gibsonsec publishing proof-of-concept code for exploiting two vulnerabilities they claim Snapchat has failed to fix since August 2013.
The first exploitable vulnerability is that you can use the Snapchat API (Application Programming Interface) to perform apparently unlimited phone number lookups.
Once you log in with an active username and password, says Gibsonsec, you can make web requests to the Snapchat find_friends API function to check whether there is a user X with phone number Y.
The idea sounds reasonable enough: If you know someone’s phone number, you can use it to help find whether they’re on Snapchat.
But the Gibsonsec researchers claim that in their tests, they were able to check about 1,500 numbers per minute using a single cloud-based virtual server; they further estimate that 5,000 number lookups per minute ought to be fairly easy to do with some improvements to their code.
That would let you get through 7,000,000 lookups a day from a single server.
That’s the sort of request volume it would be prudent for Snapchat to limit, in order to prevent stalkers and crooks from easily searching entire telephone area codes for otherwise-unlisted individuals.
Of course, one way for Snapchat to restrict the number-finding power of unscrupulous users would be to lock out any accounts that make too many requests.
But Gibsonsec’s second exploitable vulnerability would circumvent that sort of protection: Apparently it allows unlimited registration of new accounts.
Many web services put one or more speed-bumps in the way of account creation, for example by sending an email containing a URL that needs to be visited to activate a new account, or by asking the applicant to solve a CAPTCHA.
Spammers, scammers and other miscreants love services that make it easy to automate the creation of new users, and to recover information about existing users.
Snapchat really ought to do something about automated account registration and over-zealous phone number searches.
Mind you, when you’ve just turned down US$3 billion in cash from Facebook, slowing anything down probably sounds like a bad idea.
Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. He wrote this for the Sophos Naked Security blog here, and it is reprinted here with their kind permission.
Twitter’s new DM options: To combat spam or invite more?
We need to start defining acceptable mobile advertising
Are LG Smart TVs spying on you?
If it wants to, Apple can read your iMessages: Quarkslab
Privacy concerns may limit mobile app adoption in Malaysia: GSMA
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.