What does Snapchat CEO Evan Spiegel care about, other than wooing Taylor Swift and driving his Ferrari? Turning his startup into a business doesn't seem to register, and based on the newest report of security hubris, neither does protecting you from hackers. Updated
The Guardian reports yet another software vulnerability for Snapchat:
Using a flaw in how the app authenticates users, [security researcher Jaime Sanchez] discovered that sending a huge number of messages to one user will cause their iPhone to crash. Even once it powers back up, the app itself still hangs until the attack is over.
In other words, Snapchat can be used to render your phone useless. Not fun! Sanchez
brought this to Snapchat's attention published the flaw, and instead of thanking him, as most software firms do (or offering him a job!), Snapchat ignored him. From a blog post by Sanchez (via Google Translate):
DID SNAPCHAT SOLVE THIS SECURITY ISSUE ?
They haven't, you still can use the same token for several request, so the attack is still working. They told press they would contact the researcher to get more info to solve the problem. I didn't get any email. Do you know what's the security countermeasure they've chosen for solving it? They've banned my two testing accounts and the VPN's IP I used to launch the proof of concept attack and the research...
The guy who wanted to warn Snapchat about hackers was treated like a hacker himself. There's a pattern here, and that pattern is Snapchat neglecting to protect its users, and scoffing at help from people who know better. I recently asked Graham Smith, who pointed out Snapchat's last security issue, why he said he wouldn't take a job with the mega-trendy company:
All the people at Snaphat are smart, no doubt. In some ways I respect how they passed up billions of dollars for their company, that shows unique drive. But, as I tried to work with them on fixing the issues I realized that wasn't a place I could see myself working at. Mostly because I've been interested in security as of late and they didn't seem very open minded about security, although it isn't completely out of mind for them. Also, after this whole experience I wouldn't say Snapchat and I have the best relationship, so it wouldn't be easy working for them after the fact.
These aren't malefactors we're talking about. These are people who love to tinker with online security, and came to a hugely popular company to show them how to protect itself better. When people like this come to Facebook with security warnings, sometimes they walk away with job offers, but here, they're treated like pests and punks. If Snapchat wants to be a $4 billion company someday—or a $4 million company—it's going to need to ditch some of its CEO's haughty asshole-ism and know when to say thank you.
Update: Snapchat replied with the following, which makes it clear that Sanchez did not directly contact Snapchat with the security issue, but presumably learned about it through his blog post. It's still unclear why Sanchez had his Snapchat accounts deactivated.
On Thursday, we became aware of an upcoming story to be published by the LA Times, about a security researcher who claimed to have a way of crashing iPhones using the Snapchat application. We did not receive additional details, including the identity of the researcher.
After the LA Times ran with the story on Friday, we learned more details of the denial-of-service attack against iPhones that was possible through the Snapchat service. As soon as this happened, we assigned engineers to replicate and mitigate the vulnerability. Within hours they had confirmed the possible attack vector, and had deployed server-side changes to limit rate at which snaps and notifications can be received, which we believe addresses the source of potential abuse.
As of 11 pm PST Friday, as far as we are able to determine, the attack as described is no longer possible. If you or the researcher are still able to replicate the crash, please let us know.
Completely independent of these events, new safety and security measures in place at Snapchat detect abuse of the service and take action against accounts. This happens automatically, and this may have impacted Mr Sanchez' ability to abuse the service. We have not taken any specific measures in regard to accounts owned by Mr Sanchez.
It appears there is concern in the security community about our response to security disclosures. Sanchez chose to publicize the attack rather than inform our team.
"Sanchez said he has not contacted Snapchat about the vulnerability because he claims the Los Angeles startup has no respect for the cyber security research community."
We regularly work with researchers to improve our software and we appreciate any disclosures. The best way to reach us is firstname.lastname@example.org