Snapchat, which prides itself for its privacy and security features, might have just become completely insecure. Researchers have now published undocumented API and code to two exploits that not only opens up the service to spam but also gives malicious individuals access to users’ profiles and phone numbers.
The “Find Friends” exploit utilizes the feature of the same name to hunt down numbers and people. A program can generate a range of possible numbers and then searches through the Snapchat database to find possible matches to a username. Once a match is found, a record containing the username, their display name, and their public or private status can then be retrieved. These records can then be sold off to the highest bidder. Another exploit, called the “Bulk Registration” exploit, allows mass registration of users, which can be used for spam.
Gibson Security, who has published these exploits, claims that Snapchat was given ample time to patch these up. The security research firm says that it informed Snapchat of the vulnerability back in August but the company kept silent and did not fix the exploits. Accusing Snapchat of shady marketing and a general attitude of indifference to security, the researchers have apparently gotten sick of playing by Snapchat’s rules and have decided to force its hand instead.