First off, what is SnapChat:
Snapchat is the fastest way to share a moment with friends. You control how long your friends can view your message – simply set the timer up to ten seconds and send. They’ll have that long to view your message and then it disappears forever. We’ll let you know if they take a screenshot! Build relationships, collect points, and view your best friends. Snapchat is instantly fun and insanely playful. Show your friends how clever you can be and enjoy the lightness of being! – CrunchBase
In comes a site called SnapchatDB.info that has been collecting usernames and phone numbers of users of all 4.6 ShapChat users and has made the in formation publicly available to any and everyone online. They said they did it to expose a recent exploit that has been patched and that the made the data available to convince the messaging app to beef up their security.
Here is what they told TechCrunch about the incident:
Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.
We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.
We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.
ZDNet published an article on how white-hat Gibson Security researchers had tried to alert Snapchat to ways that hackers would connect usernames to phone numbers for user in stalking, but were ignored. Gibson Security then published the exploit publicly on Christmas Eve.
The Gibson Security report and SnapchatDB are both reminders that even in an ephemeral messaging service, it would be a mistake to be lulled into a sense of security about the information that you do have stored with the app. “People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with,” SnapchatDB stated on the site.
Read the entire article here.