Forgot your password?
typodupeerror
Privacy Communications Security Social Networks

Snapchat Users' Phone Numbers Exposed To Hackers 69

Posted by timothy
from the take-a-memo-it'll-last-longer dept.
beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.
This discussion has been archived. No new comments can be posted.

Snapchat Users' Phone Numbers Exposed To Hackers

Comments Filter:
  • Dumb people (Score:2, Insightful)

    by DogDude (805747)
    People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.
    • Yes, security through obscurity is the best way.

    • by vlueboy (1799360)

      People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

      You really think it's their fault? Common sense has never been too strong when compared to status quo and people follow by lead. Thankfully, that helped us win some battles, in the past. After all, people now know about firefox and Ubuntu without being geeks themselves. Because they followed a geek trend that eventually became mainstream.

      But trends are exactly what all big and small companies are following now. You can't sign up to Yahoo, Hotmail or Gmail without being asked for a cellphone number. Since th

      • by vlueboy (1799360)

        Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

        Funny thought: Phone numbers are nothing --they're in the phonebook after all...
        a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

        Replying to myself:
        We need to coin a new Godwin's type of law
        How quickly can we bring up NSA-like involvement in some random online thread?
        I dub thee "Snowden's Law"

    • by mwvdlee (775178)

      Just like you giving out your email address to subscribe to Slashdot (which does not make you a customer), make you deserving of spam?

  • OK, doesn't concern me.

  • just dial any area code.

  • Sure. In exactly the same fashion as unintended casualties are collateral damage.

    This is verbiage of the initial Target press release. It sounds like my government talking to me.

    • by Nyder (754090)

      Sure. In exactly the same fashion as unintended casualties are collateral damage.

      This is verbiage of the initial Target press release. It sounds like my government talking to me.

      They probably hired the same PR firm.

      • Probably, unless they are now fungible....

        I love that term. Previously, I described the identical phenomenon with "Six of one or half a dozen".

  • Snapchat is right (Score:2, Insightful)

    by murdocj (543661)

    This is a non-issue.
    Guess what, there are these big books that list names and the associated phone numbers.

    • by Anonymous Coward

      What is a non-issue? That their claims of protecting your phone number isn't actually true? That seems to only be a "non-issue" if you're on their payroll.

      • by murdocj (543661)

        You mean that you can use the snapchat feature to see if a particular phone number is associated with a snapchat user? It's not like someone is hacking into their database and extracting a list of users. The "hack" is doing an upload of every possible phone number and seeing if there are any hits.

        • by Kalriath (849904)

          ... in the same way as reading the entire phone book to see which numbers belong to people is a "vulnerability" in the telco industry.

    • by Anonymous Coward

      Those books, do they also contain pink pictures of the persons behind the numbers? Where can I get them?

      • by murdocj (543661)

        There are these things called facebook and google that pretty much can get you anything that anyone has stored on the system of tubes.

  • It's OK (Score:4, Funny)

    by bigdavex (155746) on Saturday December 28, 2013 @09:14PM (#45808745)

    But the phone numbers disappear after 10 seconds, right?

  • by wbr1 (2538558)

    Snapchat downplays the significance of the hole.

    Isn't that their entire business model? Encourage more people to show of their naughty bits, therefore "downplaying the significance of the hole."

  • by WOOFYGOOFY (1334993) on Saturday December 28, 2013 @10:31PM (#45809061)

    For some of the younger readers: snapchat can't actually guarantee that your photo is deleted, so don't send anything you don't want all over the web, as ever.

    For instance, anyone you send your photo to could screen capture your photo before it disappears, then pass that screen capture around.

    Someone could also be between you and your recipient and be capturing everything you send.

    Just so you know.

    • In fairness even many non-technical adults get this wrong. Because they don't understand how technology actually works they fail to understand that "privacy controls" don't actually control anything. This is true because the data, whether "deleted" or not, continues to exist in the company's databases which are likely copied and backed up in many places. As the parent said, if you gave it to them once they have it forever. It should also be remembered that when a company is bought or sold, the new owners mi
  • This "Gibson" firm got their name in the papers, for what? Because a hacker "may" be able to see phone numbers with a username attached. So what? Where I live they still print peoples names and phone numbers in the phone book, which is available at the public library. What exactly bad is going to happen when someone decides to hack Snapchat to obtain those phone numbers?
    • by Kalriath (849904)

      The exploit according to Gibson is that Snapchat doesn't rate limit calls to "find_friends" to prevent massive automated brute force queries to get user details. In all fairness, considering the massive processing power behind Snapchat and the fact that your server is more likely to deplete its available resources before theirs (they're on Google App Engine apparently), there really should be rate limiting, even 1 request per second would make automated hammering non-viable.

  • Fake it (Score:5, Insightful)

    by pubwvj (1045960) on Saturday December 28, 2013 @10:49PM (#45809131)

    This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.

    Obstificate.

    • by qubezz (520511)
      This is why snapchat was worth $3B to Yahoo, you install it on your phone, where it can vacuum up your real contacts and other data from your phone and send it along to the server. If you don't put in your real name, someone else has.
  • by Anonymous Coward

    But ONLY to "hackers", because they're like extraspecial and shit.

  • We give them out to friends, family, retailers, employers and for thousand of other reasons. The same goes for an email address.
  • Maybe only 17 queries are required. So even if they did to some kind of rate-limitting to prevent mass sucks of account names, they'd not stop the leak.

    Number all the names you're interested in binary. If you have 75000 names, then the binary numbers will be 17 bits long. In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit. Store all the results. In the second query, do a lookup on all the 32768 contacts which have a set 15th bit, again, store those. In the third query, d
    • I'm entirely nonplussed by your post.

      Don't need 75000 queries to identif 75000 accounts

      What do you mean by "identify"?

      Number all the names you're interested in binary.

      Snapchat usernames? Or names of humans you suspect of having a snapchat account?

      In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit.

      What kind of lookup are you talking about?

    • Okay, after finding this [gibsonsec.org] (who the hell presents a security disclosure as a single PNG?!) I'll have another stab at what you're suggesting.

      Suppose you have 75,000 phone numbers you want to try to link to snapchat accounts. Snapchat allows (or allowed) you to specify at least up to this amount of numbers in a single query - the only trouble is, it won't tell you which of the many results you receive is associated with which of the numbers you sent in the query.

      By doing ~17 queries on subsets of the 75,000 num

  • who gives a crap about their phone numbers when their genitals are on display for the world to see.

"Our reruns are better than theirs." -- Nick at Nite

Working...