The Snapchat exploit revealed last week has seemingly exposed the usernames and cellphone numbers of a claimed 4.6 million users of the self-destructing messaging service, according to a site that supposedly snatched the information from the company’s database using the hack. Dubbed SnapchatDB!, the site offers up a download of what’s described as “a vast majority” of Snapchat users, purportedly to highlight the lax security liberties companies take with our personal information.
Snapchat, so the site’s hosts argue, was negligent in patching the exploit, “until they knew it was too late.” According to Gibson Security, the research firm which publicized the API loophole at the root of the hack, Snapchat was aware of the issue as early as August 2013, but failed to address it until recently.
Still, that’s perhaps little consolation for those whose personal details are now in the wild. The database download has been masked, though only the last two digits of each phone number have been hidden, though the site admins do say that those wanting the full, uncensored database should ask and, “under certain circumstances”, it may be released.
Meanwhile Gibson Security, although saying that it was unaware of the database scrape and associated site being set up using its exploit, argues that it was only “a matter of time” before it happened. More concerning, the Australian researchers suggest that the exploit can still be utilized with just a few minor modifications made to it.
Snapchat’s security has been called into question several times over the service’s lifespan, in part because the ephemeral nature of photos shared using the app is an obvious lure for methods to preserve them. Tools to save images without the sender knowing that they have been captured have popped up on several occasions, though Snapchat has moved to block each loophole along the way.
Nonetheless the apparently cavalier approach to account security this time around may give some Snapchat users pause for thought, especially given that, as SnapchatDB! points out, many will use the same username for multiple services.
VIA Hacker News