On Christmas Eve, Gibson Security published information on how to exploit loopholes in Snapchat's security that "allow mass matching of phone numbers with names and mass creation of bogus accounts," reports ZDNet. Gibson published the codes because they were "sick of" Snapchat ignoring their warning since August.
The accusations get much, much worse from there.
Gibson describes itself as a group of "poor students, with no stable source of income." ZDNet calls them hackers or researchers from Australia. In an email to ZDNET, Gibson dropped two more bombs on the $2 billion company. First, Gibson claims the loophole could have been closed with just 10 lines of code. They also said Snapchat and its investors lied to the press when they said 70 percent of users are female because there is no way for Snapchat to obtain that information. Snapchat has previously been accused of misleading the press in the way it reports traffic.
Gibson claims exploits in both "Find Friends" and "Bulk Registration" can be used to obtain a 1:1 link between a person's phone number and their Snapchat account. The information could be used for spamming, or worse stalking:
Snapchat names, aliases, and phone numbers can be discovered and harvested via the Snapchat Android and iOS API — even if the user's account is private.
Gibson Security told ZDNet via email the metadata could be used in conjunction with other APIs to "automatically build profiles about users, which could be sold for a lot of money."
He added: "People could operate a service similar to ssndob.cc (see here), where you could pay a few dollars and obtain the phone number and social media profiles of a person, just by their username."
This, he said, could also be used for targeted scamming, but also for stalking, which he described as his "biggest worry."
"You could find someone's phone number in minutes provided you know the general area they live in,"
Snapchat turned down an offer from Facebook to buy it for $3 billion in November, underscoring Gibson Security's statement about the value of selling a user profile database.
The ability to engineer false accounts also makes it "impossible to know what percentage of Snapchat's accounts are valid," notes ZDNet. According to Gibson:
"[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they're vulnerable. They've had four months, if they can't rewrite ten lines of code in that time they should fire their development team. This exploit wouldn't have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app)."
I've reached out to Snapchat for comments on Gibson's allegations. But it's not like CEO Evan Spiegel is short on funds to hire help.
To contact the author of this post, please email firstname.lastname@example.org.