Snapchat has released a statement regarding the recent findings that their service can be used to attach phone numbers to names, leading to identification of users. While Snapchat had been aware of the issue since August, the group who found the exploit wasn’t pleased with their lack of focus on the security issue. On December 31st, 2013, they released redacted numbers attached to usernames to the web, as well as their methodology for acquiring them, forcing the hand of Snapchat.
In the statement, Snapchat admits their system might not be as secure as they originally thought, but does note they’ve made efforts to thwart this type of malicious activity before. After the original findings, in August of last year, Snapchat says they “implemented practices like rate limiting aimed at addressing these concerns”. The issue relates to the Find Friends functionality within Snapchat, where Snapchat says a user could “upload a large number of random phone numbers and match them with Snapchat usernames.”
While Snapchat does admit there is an exploit, they don’t think their current methodology is wrong. In highlighting how they’ll fix the service, the team at Snapchat had this to say:
We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
Rate limiting seems to be their silver bullet for nefarious activity, here — and perhaps always will be. It might be all they have, too. The service inherently allows this, and while not so much a direct threat, it does pose a risk nonetheless. Once someone has your info, it’s possible to turn around and use that elsewhere. It’s like the first domino in a chain.
Though Snapchat notes no snaps were posted, that’s really not the point. The service doesn’t hold any read messages on their server, so there wouldn’t be much to grab anyway. Though Snapchat did say that they want people to message them when it concerns security, their lack of attention to this matter does call the service’s one guiding principal — security — into question.