Usernames and phone numbers for more than 4.5 million Snapchat users have been published on a website called SnapchatDB.info after attackers took advantage of an exploit disclosed on the 23rd December 2013. According to TechCrunch, SnapchatDB said
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does”
This is of course not the first vulnerability that has been discovered in the Snapchat service or app, various methods of secretly saving photos or recovering deleted photos have already hit the headlines in recent months, those were vulnerabilities in the app itself and would be exploited on the end-user device. This latest attack is using weaknesses in the API on the Snapchat servers themselves, the API is the method by which a Snapchat client communicates with the Snapchat service. These weaknesses allow for an automated system to send an enormous number of queries to the Snapchat server in a short period of time, discovering whether or not a given telephone number exists in the Snapchat database and retrieving other information associated with that number, of course the numbers themselves will be mobile telephone numbers. This attack, combined with further mining of data, for example through social media could be easily used to build a very large database of personal information for many kinds of further exploitation or resale. Although Snapchat were made aware of these vulnerabilities some months ago, GibsonSec – the publishers of the Proof of Concept exploit, claim that they are still easily exploitable and Snapchat DB proves that point.
These two areas, vulnerabilities in mobile apps and vulnerabilities in APIs, are areas still largely under explored by criminals but we fully expect to see malicious exploits, rather than simple proofs-of-concept ramping up over the coming years. We, as users, store ever more data; data often belonging to other people, on our mobile devices and app developers are very interested in getting hold of that data, as are criminals. Far too many apps routinely request (or simply steal) the data contained in your address book for example and far too many app users are willing to surrender this data for the dubious “pleasure” of inviting their friends to yet another social network/messaging platform. Trend Micro’s own data collected in ongoing analysis through our Mobile App Reputation Service reveals that more than 20% of *all* apps are consistently leaking data and the most common data to leak are your contacts, your location, your phone number and details about the handset and SIM.
In the old days, back when rainbows were still in black & white, if a stranger were to approach you in the street asking for a copy of your address book that would doubtless strike you as a bizarre request, likewise if a shop assistant insisted on the details of 100 of your friends in return for a discount voucher. Somehow as the data itself has become digitised and the means of transfer invisible and painless this has become entirely acceptable behaviour. Rather than continue this erosion of privacy; users of these types of service would be better advised to use the phone for its long-neglected purpose and maybe give those same friends a call, possibly even arrange to meet up(!) and talk about the great new app you’ve discovered in person, rather than selling your friends down the river.
As a social platform, your satisfied customers are your best ambassadors. If you begin to act in ways detrimental to their best interests then a storm is certainly coming, as Path found out to their cost in the early part of 2013.