After its discovery of a security hole in Snapchat was ignored for months, Gibson Security earlier this week released the API for the Snapchat application along with two exploits.
One exploit lets hackers match phone numbers with Snapchat users’ names en masse; the other enables hackers to create huge numbers of fake Snapchat accounts. Together, the API and the exploits will let hackers duplicate Snapchat’s API and stalk the 8 million users the site is reported to have.
The documentation is based on the current build of Snapchat — version 4.1.01, Gibson Security stated.
Why Gibson Did It
Gibson Security published the information because Snapchat had not fixed any of the exploits it had released in August, it said.
One of these was a flaw in the “Find friends” function that let hackers easily create a database of the usernames and phone numbers of Snapchat app users. Another was a denial of service exploit.
Further, Snapchat’s storage and transmission of media was not secure, Gibson said.
What’s a Gibson Security?
The identity of Gibson Security and the people behind it remains unclear.
Emails sent to the address listed on the company’s website bounced.
The company solicits Bitcoin donations on its website because “we’re poor students, with no stable source of income.”
However, in an April press release, the company described itself as a computer security group.
Gibson Security consists of Australian hackers, according to ZDNet.
Doing the Right Thing?
In publishing the Snapchat API and the exploits, Gibson was following common practice, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
However, Gibson’s actions “seem more focused on giving [it] notoriety than on actually fixing the problem,” Enderle suggested. “It may also reflect a need to punish a firm that doesn’t respond properly to a warning.”
Gibson’s release of the exploits “bring up the question of ethics,” Jim McGregor, principal analyst at Tirias Research, told TechNewsWorld.
“You always have programmers or hackers who are a bit overzealous and feel that, if a company they’ve notified about vulnerabilities doesn’t react, it’s their responsibility to publicize those vulnerabilities to the world,” McGregor remarked. “The question is, how far should you take it?”
Gibson should probably have waited until someone had launched an attack on Snapchat, then told the world they had warned the company and it was negligent, Enderle opined. Or, it could have published news that it had discovered exploits and what damage these could do and offered to share what it had discovered with other security firms rather than telling the world at large.
“I think they went too far and actually contributed more to the problem than to the defense,” Enderle said.
The Snapchat Fail File
The Snapchat app, which runs on Android and iOS, lets users exchange photos, videos or text messages that are claimed to vanish within 10 seconds after they have been viewed.
However, it has been found that those images can still be recovered.
In January, a bug in Snapchat’s back-end system was discovered that let anyone obtain a user’s cellphone number and address without their consent. The company fixed the flaw after being notified.
In May, the Kivikakk.ee blog listed one way to intercept and decrypt http Snapchat communications.
In June, security researcher Adam Caudill pointed out various vulnerabilities in the app; the company then addressed those issues.
Law and Order
Gibson’s actions highlight the need for a revamp of our laws and law enforcement, Tirias’ McGregor suggested.
“When you are affected by people publishing code that lets others hack into your site, there is no criminal agency you can turn to — not the FBI, not the local police,” McGregor pointed out. “There’s no way to report these crimes, and that’s a gaping hole in our law enforcement system. We not only need laws on our books in cases like this, we need to enforce them.”
Snapchat did not respond to our request to comment for this story.
The ethical problem is not one of criminality. AS the author says, snapchat has no law enforcement that it can approach. I would point out that Gibson security or the 8 million users also do not have an avenue through law enforcement either.
I would rather have this bring the problem (in any industry really) out into the open than have some mass class action fill the newspapers for years.
Snapchat were warned and should have at least kept Gibson up to date with the speed of repairs.
I imagine they did not. Another dot.com too busy riding the wave of prosperity to do something simple like concentrate on guaranteeing the product they charge for, perhaps ?.
I don’t know what world the author is living in but it is not this one: "should have waited until someone had launched an attack" indeed! Like the nice attackers are going to announce an attack. Just like the recent hackers of Target did instead of waiting THREE WEEKS for target to discover the attack. Yeah, right. Tell that to the 40 million Target customers and banks that are now at risk.
According to the article, Gibson waited over four months for SnapChat to fix and/or respond to their warning. That is more than adequate time for SnapChat to at least respond, if not correct, the vulnerability. I see no need to pamper the offender’s arrogance with further warnings since they obviously are not listening and/or do not care. It was SnapChat’s choice to ignore the private warning so maybe this will get their attention.
And McGregor is right – laws do need to be revamped – but NOT the way he suggested. The whistle blowers should be lauded; it is the irresponsible companies and their management that need to be punished! Laws should be strengthened to protect whistle blowers and punish those responsible for exposing assets to an insecure environment.
Companies that implement vulnerable systems, fail to implement and monitor basic security measures, or allow known exploits to go unmitigated should be punished by fines that hurt and the company officials responsible held personally liable, starting with the CEO. In fact, since monetary penalties are usually only borne by the company with only token penalties (at best), for the officials, I would advocate for criminal penalties for officials failing to ensure adequate security for company and customer data. Perhaps then we would see some meaningful change.
As in Japanese corporate culture and as Harry Truman so aptly stated, the head of the organization is ultimately responsible for the actions of its people. He/she is responsible for ensuring procedures and safeguards are in place to protect the company and its customers BEFORE an attack instead of being a spin doctor AFTER an attack trying mitigate the PR damages. Hiding behind a "I didn’t know the details" is no excuse. It is the CEO who establishes the priority (or lack thereof), to security and his/her responsibility to ensure that they are adequate.
This highlights the need for the development of guidelines for reporting vulnerabilities, time to respond to notice of a potential exploit, escalation procedures/recourse if warnings are ignored and, perhaps, public security audits reports similar to annual financial audit reports.