Hackers Say Exploit Made Breaching Snapchat a Snap. 4.6 Million Usernames and Phone Numbers Made Available for Download.

Posted on January 6th, 2014 by Dan Rampe

Snapchat

When you were a kid, ever have a relative like an aunt or maybe an old family friend who visited every decade or so who found you watching TV instead of tackling the stack of homework in front of you and strongly suggested you get to work? Or maybe told you to finish your veggies at dinner? Who gave that virtual stranger the right to tell you what to do?

Hackers, who found an exploit in Snapchat, a photo messaging app, have something in common with the person you may have known back in the day. Sure they were right about the exploit and the need to fix it, but who gave them the right to set up SnapchatDB.info and make Snapchat usernames and phone numbers for 4.6 million accounts available for download?

Catherine Shu, writing on techcrunch.com, reported what hackers writing on SnapchatDB.info had to say about why they did what they did:

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

“We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.

“We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”

The hacker or hackers went on to say they “censored the last two digits of the phone numbers” to “minimize spam and abuse,” but it might still release the unfiltered data, including millions of phone numbers.

The Next Web discovered the mailing address and contact number for the SnapchatDB.info are both listed in Panama.

Shu reports ZDNet previously published an article on how “white-hat Gibson Security researchers had tried to alert Snapchat to ways that hackers would connect usernames to phone numbers for [stalking users], but were ignored.

“Gibson Security then published the exploit publicly on Christmas Eve [Ho…Ho…Ho Merry Xmas]. The firm said that hackers could use two exploits to gain access to users’ personal data, including their real names, usernames and phone numbers, through Snapchat’s Android and iOS API.

“Snapchat did offer a public statement, but as TechCrunch’s Josh Constine wrote, it wasn’t very satisfactory because it did not offer details on how its countermeasures would work, such as rate limiting, bad IP blocking, or automated systems that scan suspicious activity.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.