Security Firm Spills the Beans on Snapchat Vulnerabilities
Dec 28, 2013 5:00 AM PT
After its discovery of a security hole in Snapchat was ignored for months, Gibson Security earlier this week released the API for the Snapchat application along with two exploits.
One exploit lets hackers match phone numbers with Snapchat users' names en masse; the other enables hackers to create huge numbers of fake Snapchat accounts. Together, the API and the exploits will let hackers duplicate Snapchat's API and stalk the 8 million users the site is reported to have.
The documentation is based on the current build of Snapchat -- version 4.1.01, Gibson Security stated.
Why Gibson Did It
Gibson Security published the information because Snapchat had not fixed any of the exploits it had released in August, it said.
One of these was a flaw in the "Find friends" function that let hackers easily create a database of the usernames and phone numbers of Snapchat app users. Another was a denial of service exploit.
Further, Snapchat's storage and transmission of media was not secure, Gibson said.
What's a Gibson Security?
The identity of Gibson Security and the people behind it remains unclear.
Emails sent to the address listed on the company's website bounced.
The company solicits Bitcoin donations on its website because "we're poor students, with no stable source of income."
However, in an April press release, the company described itself as a computer security group.
Gibson Security consists of Australian hackers, according to ZDNet.
Doing the Right Thing?
In publishing the Snapchat API and the exploits, Gibson was following common practice, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
However, Gibson's actions "seem more focused on giving [it] notoriety than on actually fixing the problem," Enderle suggested. "It may also reflect a need to punish a firm that doesn't respond properly to a warning."
Gibson's release of the exploits "bring up the question of ethics," Jim McGregor, principal analyst at Tirias Research, told TechNewsWorld.
"You always have programmers or hackers who are a bit overzealous and feel that, if a company they've notified about vulnerabilities doesn't react, it's their responsibility to publicize those vulnerabilities to the world," McGregor remarked. "The question is, how far should you take it?"
Gibson should probably have waited until someone had launched an attack on Snapchat, then told the world they had warned the company and it was negligent, Enderle opined. Or, it could have published news that it had discovered exploits and what damage these could do and offered to share what it had discovered with other security firms rather than telling the world at large.
"I think they went too far and actually contributed more to the problem than to the defense," Enderle said.
The Snapchat Fail File
The Snapchat app, which runs on Android and iOS, lets users exchange photos, videos or text messages that are claimed to vanish within 10 seconds after they have been viewed.
However, it has been found that those images can still be recovered.
In January, a bug in Snapchat's back-end system was discovered that let anyone obtain a user's cellphone number and address without their consent. The company fixed the flaw after being notified.
In May, the Kivikakk.ee blog listed one way to intercept and decrypt http Snapchat communications.
In June, security researcher Adam Caudill pointed out various vulnerabilities in the app; the company then addressed those issues.
Law and Order
Gibson's actions highlight the need for a revamp of our laws and law enforcement, Tirias' McGregor suggested.
"When you are affected by people publishing code that lets others hack into your site, there is no criminal agency you can turn to -- not the FBI, not the local police," McGregor pointed out. "There's no way to report these crimes, and that's a gaping hole in our law enforcement system. We not only need laws on our books in cases like this, we need to enforce them."
Snapchat did not respond to our request to comment for this story.