Researcher: Snapchat names, aliases, phone numbers vulnerable

Australian researchers claim data can be discovered and harvested via the Snapchat Android and iOS API, even if an account is private.

Snapchat

A security advisory published by Australian researchers claims that Snapchat names, aliases, and phone numbers can be discovered and harvested via the Snapchat Android and iOS API -- even if the user's account is private.

Gibson Security said it discovered a range of security holes when it reverse-engineered the popular photo- and video-sharing app, including what it believes to be unsecure encryption practices (two encryption keys across all users) and code for in-app ads.

"The API reversed isn't just used for Android, but iOS too," according to the Gibson advisory posted Tuesday. "Both platforms are vulnerable."

CNET has contacted Snapchat for comment, and we will update this article when there is more information.

According to the researchers, a malicious entity can use the Snapchat API and write an automated program that generates phone numbers to exhaustively search the Snapchat database for users.

Gibson calls this the "Find Friends Exploit."

When the phone number matches a record of a Snapchat user, the malicious entity will get a record the includes the username, the associated display name, and whether the account is private or not.

"Doing this, you can make a 1:1 link between a person's phone number and their Snapchat account. Handy feature? Yes. Easily exploitable? Definitely," Gibson said.

The security firm explained its concerns:

Internet trolls and stalkers could use this information to harass people in real life, unmasking the anonymity and privacy Snapchat provides.

The scariest part for us is the possibility of a company utilizing this exploit on a massive scale, only to sell a database of Snapchat names, phone numbers and locations to a third party.

With little work, a malicious party could steal large amounts of data and sell it on a private market, and that's highly illegal.

Gibson's advisory explains, "Snapchat [uses] a fairly simple (yet strangely implemented) protocol on top of HTTP. We won't reveal anything about the protocol, only what is needed for these problems, but the rest is easily figured out. We are privacy conscious, being users of the service ourselves."

ZDNet asked Gibson if it had contacted Snapchat to report the security issues.

The company told ZDNet that Snapchat isn't "exactly easy to get hold of." Gibson also "attempted to apply for the software developer position at Snapchat. We would gladly help improve the security and performance of the application but failed to get a response."

The advisory page states it believes that using the API implementation, someone could save media sent to them, launch a DoS (denial of service) attack against Snapchat users, build a database of usernames and phone numbers, "easily" connect names to aliases, and "with further work" connect social media accounts to Snapchat identities.

The researchers stress that they believe if someone was able to gain access to Snapchat's servers they could easily view, modify or replace snaps being sent.

"With a couple lines of Python, someone could view all your unread messages, and depending on the situation, modify, and even replace the images completely," Gibson said.

Snapchat is a popular Android and iOS application, especially with younger users -- and has an unwanted reputation for sexual content sharing. The app allows users to exchange photos, videos or messages that Snapchat states vanish in 10 seconds or less once they are opened.

Google Play currently lists the Snapchat Android app as having been installed between 10 million and 50 million times. In June, Snapchat raised over $60 million in VC funding with an $800 million valuation.

This piece originally was published as "Snapchat names, aliases and phone numbers obtainable via Android and iOS APIs, say researchers" on ZDNet.

About the author

Violet Blue is a Forbes Web Celeb, CBSi/ZDNet blogger and columnist, a high-profile tech personality and one of Wired's Faces of Innovation. She is an expert in the field of sex and technology, a sex-positive mainstream media pundit (MacLife, CNN, The Oprah Winfrey Show) and has been interviewed, quoted and featured in outlets ranging from ABC News to the Wall Street Journal. A feature writer and columnist since 1998, Violet has authored and edited many award-winning, best selling books in six translations; a book sample can be found on Oprah.com. She was a notorious sex columnist for Hearst's San Francisco Chronicle, and Forbes calls her "omnipresent on the web." She headlines at global conferences including ETech, LeWeb, SXSW: Interactive and two Google Tech Talks at Google, Inc. and received a standing ovation at Seattle's Gnomedex. The London Times named Blue "one of the 40 bloggers who really count." She is a member of the CNET Blog Network, and is not an employee of CNET.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Want affordable gadgets for your student?

Everyday finds that will make students' lives easier: chargers, cables, headphones, and even a bona fide gadget or two!