Researcher: Snapchat names, aliases, phone numbers vulnerable

A security advisory published by Australian researchers claims that Snapchat names, aliases, and phone numbers can be discovered and harvested via the Snapchat Android and iOS API -- even if the user's account is private.

Gibson Security said it discovered a range of security holes when it reverse-engineered the popular photo- and video-sharing app, including what it believes to be unsecure encryption practices (two encryption keys across all users) and code for in-app ads.

"The API reversed isn't just used for Android, but iOS too," according to the Gibson advisory posted Tuesday. "Both platforms are vulnerable."

CNET has contacted Snapchat for comment, and we will update this article when there is more information.

According to the researchers, a malicious entity can use the Snapchat API and write an automated program that generates phone numbers to exhaustively search the Snapchat database for users.

Gibson calls this the "Find Friends Exploit."

When the phone number matches a record of a Snapchat user, the malicious entity will get a record the includes the username, the associated display name, and whether the account is private or not.

"Doing this, you can make a 1:1 link between a person's phone number and their Snapchat account. Handy feature? Yes. Easily exploitable? Definitely," Gibson said.

The security firm explained its concerns:

Internet trolls and stalkers could use this information to harass people in real life, unmasking the anonymity and privacy Snapchat provides.

The scariest part for us is the possibility of a company utilizing this exploit on a massive scale, only to sell a database of Snapchat names, phone numbers and locations to a third party.

With little work, a malicious party could steal large amounts of data and sell it on a private market, and that's highly illegal.

Gibson's advisory explains, "Snapchat [uses] a fairly simple (yet strangely implemented) protocol on top of HTTP. We won't reveal anything about the protocol, only what is needed for these problems, but the rest is easily figured out. We are privacy conscious, being users of the service ourselves."

ZDNet asked Gibson if it had contacted Snapchat to report the security issues.

The company told ZDNet that Snapchat isn't "exactly easy to get hold of." Gibson also "attempted to apply for the software developer position at Snapchat. We would gladly help improve the security and performance of the application but failed to get a response."

The advisory page states it believes that using the API implementation, someone could save media sent to them, launch a DoS (denial of service) attack against Snapchat users, build a database of usernames and phone numbers, "easily" connect names to aliases, and "with further work" connect social media accounts to Snapchat identities.

The researchers stress that they believe if someone was able to gain access to Snapchat's servers they could easily view, modify or replace snaps being sent.

"With a couple lines of Python, someone could view all your unread messages, and depending on the situation, modify, and even replace the images completely," Gibson said.

Snapchat is a popular Android and iOS application, especially with younger users -- and has an unwanted reputation for sexual content sharing. The app allows users to exchange photos, videos or messages that Snapchat states vanish in 10 seconds or less once they are opened.

Google Play currently lists the Snapchat Android app as having been installed between 10 million and 50 million times. In June, Snapchat raised over $60 million in VC funding with an $800 million valuation.

This piece originally was published as "Snapchat names, aliases and phone numbers obtainable via Android and iOS APIs, say researchers" on ZDNet.