Snapchat code exploit published after being ignored

December 25, 2013
0

Snapchat, which prides itself for its privacy and security features, might have just become completely insecure. Researchers have now published undocumented API and code to two exploits that not only opens up the service to spam but also gives malicious individuals access to users' profiles and phone numbers.

Snapchat is one of the so-called "ephemeral" apps that supposedly leave no trace by deleting anything that a user has shared to others within 10 seconds after it has been viewed by the recipient. Although it recently gained the ability to "replay" one post per 24 hours, the privacy policy still stands. However, that may all be moot considering that one of these exploits will be able to get a user's phone number and profile name.

The "Find Friends" exploit utilizes the feature of the same name to hunt down numbers and people. A program can generate a range of possible numbers and then searches through the Snapchat database to find possible matches to a username. Once a match is found, a record containing the username, their display name, and their public or private status can then be retrieved. These records can then be sold off to the highest bidder. Another exploit, called the "Bulk Registration" exploit, allows mass registration of users, which can be used for spam.

Gibson Security, who has published these exploits, claims that Snapchat was given ample time to patch these up. The security research firm says that it informed Snapchat of the vulnerability back in August but the company kept silent and did not fix the exploits. Accusing Snapchat of shady marketing and a general attitude of indifference to security, the researchers have apparently gotten sick of playing by Snapchat's rules and have decided to force its hand instead.

VIA: ZDNet


Recent Stories