Snapchat praises itself over giant phone number carelessness
By Paul Ducklin January 9, 2014
- Despite Snapchat describing a vulnerability as ‘theoretical,’ 4.6mil numbers were harvested
- Instead of apologising, the photo messaging app praised itself and said it was now fixing it
ON New Year's Day, the Sophos Naked Security blog wrote about a giant phone number leak from controversial photo messaging app Snapchat.
Here's what happened: Snapchat implemented a search service so that you could put in friends’ names and phone numbers, and find out their Snapchat handles.
Assuming, of course, that they had a Snapchat login, and that they had felt it prudent to tell Snapchat their phone number in the first place.
With hindsight, we now know that it was not at all prudent to entrust phone numbers to Snapchat, because the company did two things that were contradictory from a security point of view:
- It created an easy-to-use web interface by which anyone with a Snapchat account could perform phone number lookups in bulk. (A single request could apparently contain tens of thousands of numbers to check at the same time.)
- It “prevented” overuse – or abuse – of this interface by publishing terms and conditions that told you not to use it without permission.
But with several open source projects available that showed how to use the Snapchat web programming interface, it was really only a matter of time before someone decided to risk being kicked off Snapchat by going after those badly-shielded phone numbers.
Matters weren't helped when a self-appointed security collective calling itself Gibson Security published details on Christmas Eve of the web requests you’d need to send in order to extract phone numbers in bulk from Snapchat’s servers.
Rather than simply fixing the problem quietly and quickly in the background – as one imagines a company like Google or Facebook would have done – and then apologising, Snapchat took the curious approach of officially declaring this process of mining phone numbers to be “theoretical.”
As The Register’s John Leyden wryly remarked, throwing terms and conditions at a technical problem, and the word “theoretical” at a vulnerability announcement, is the proverbial red rag to a bull.
And so it was that on New Year’s Day we found ourselves announcing that someone had “theoretically” recovered 4,600,000 usernames and phone numbers from Snapchat and published the whole lot online. (The last two digits of each phone number were removed in a sop to decency.)
With the ball back in Snapchat’s court, we honestly expected that Snapchat would:
- Fix the problem.
- Convince us all that the fix really did work this time.
After all, part of the reason Snapchat wanted us to treat the risk as merely “theoretical” was that the company claimed to have fixed the problem already, saying over the holiday break that:
Well, Snapchat has now officially responded to the breach, and this time it has:
- Praised itself.
- Offered no apology at all.
- Said it really is fixing things now, honest.
Indeed, it seems that on the issues of privacy and trust, things could scarely be better, with the company stating that:
Apparently, Snapchat founders Evan Spiegel and Bobby Murphy – two Stanford guys who love building cool things, as their own website proclaims – aren't quite as good at actually building things that work safely and reliably.
Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. He wrote this for the Sophos Naked Security blog here, and it is reprinted on DNA with their kind permission.
Privacy lenses pointed at Snapchat
Twitter’s new DM options: To combat spam or invite more?
WeChat receives global TRUSTe certification