0 Members and 1 Guest are viewing this topic.
The data was obtained by targeting a programming interface in the backend of Snapchat's website that allows people to locate users by their phone numbers. Last week, researchers from Gibson Security published details of an attack that could abuse this feature to disclose the phone number of virtually all Snapchat users. The researchers said they decided to fully disclose the vulnerability after Snapchat engineers largely disregarded limited disclosure details published in August. Snapchat officials responded to last week's full-disclosure posting with a lukewarm acknowledgement."Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way," Snapchat officials wrote in a December 27 post. "Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse."The snapchatdb.info dump is proof that the risk was far more than theoretical. According to the Gibson Security disclosure, Snapchat's friend finder feature allowed a nearly unlimited number of queries in rapid succession, a design that allowed an attacker with a fast connection to obtain 10,000 numbers in seven minutes. With optimizations, the security researchers estimated that attackers could vastly improve that rate. In a nutshell, the hack used a simple enumeration technique that queried Snapchat for a specific number—000-000-0000, say—then recorded the response from the site and incremented the number by one. By iterating through every possible phone number, an attacker could obtain virtually every number registered with Snapchat along with the corresponding user name.The incident highlights the unintended consequences that often accompany social networking services. The same feature that allowed people to instantly locate friends and acquaintances and send them pictures through the service was also available to people with more malicious intent. Phone numbers belonging to 4.5 million Snapchat users could be a key asset in certain types of scams—say, a text-message based malware campaign that urges people to install a booby-trapped Snapchat update to fix a critical security vulnerability. The leaked data might also be used to target users of other sites, since many people use the same or very similar user names for multiple accounts.