Snapchat is a phone app and social network that allows users to send friends photos that expire seconds after they're sent. Kids love it because they leave no trail of their activity behind, or so they think.
Last week, Snapchat was hacked by a group who discovered a vulnerability in their code. After the company downplayed the possibility of a hack, the group released the information.
The data contained the user names and associated phone numbers of many users, all located within North America but primarily in the U.S. The final two digits of each phone number were also censored in order to offer the affected users some protection.
The hacker or hackers said the data was published to prompt Snapchat to fix a security hole that it was aware of and had been warned could be exploited.
"Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed," SnapchatDB told the Verge. "Security matters as much as user experience does."
Snapchat was warned by a group called Gibson Security on Christmas Eve that its app contained a security flaw that could expose its users in the exact way that SnapchatDB managed to do. Days after the warning, Snapchat acknowledged the vulnerability in a blog, but downplayed the seriousness of the security hole.
Evidently Snapchat didn't hop to the hackers' tune fast enough.
Giving organizations a specific timeframe in which to fix a security flaw in their product before releasing details to the public is a common tactic among white-hat hackers, designed to put pressure on developers to fix the flaws as quickly as possible. In Snapchat's case, the leak comes just days after a blog post in which Snapchat alluded to a flaw posted on Christmas Eve by Gibson Security that alleged it could match thousands of phone numbers to usernames every few minutes. "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way," Snapchat wrote.
Indeed, that appears to be what the team behind SnapchatDB did: "We used a modified version of [Gibson Security's] exploit / method," they tell The Verge. "Snapchat could have easily avoided that disclosure by replying to Gibsonsec's private communications, yet they didn't. Even long after that disclosure, Snapchat was reluctant to take the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale."
I'm going to go out on a limb here and say that publishing poorly redacted personal information about users is really not a great way to tout one's commitment to security.
Obviously Snapchat has an obligation to secure users' data to the best of its ability, but with sites as heavily trafficked as this one is, it's not as simple as just applying a patch and waiting for the fix to take hold.
Was the goal here to force a shutdown until the hole was fixed, or just the more altrustic claim to want users' data protected?