Snapchat introduces Find Friends opt-out, bolsters security efforts after data breach

Summary:Snapchat has taken heed of some old warnings after hackers exploited its Find Friends feature to leak details of 4.6 million of the startup's users this week.

Snapchat will offer a way for users to prevent themselves from being exposed to a repeat of the privacy leak that affected 4.6m of its users on New Years eve.

Nearly four months after first being warned its Find Friends feature was open to abuse, the ephemeral messaging service has announced plans to update its Android and iOS apps to allow users to opt-out of appearing in its Find Friends database. While Snapchat users previously didn't need to provide their phone number to use the service, the company encouraged the practice so users could find other people they knew that were already using the app. 

The planned update, announced by Snapchat yesterday, comes in response to the leak earlier this week of 4.6 million Snapchat usernames and phone numbers, which hackers had gained by exploiting the Find Friends privacy flaw that Snapchat had previously dismissed as "theoretical".

Gibson Security published details of two flaws in Snapchat on Christmas Day , along with Snapchat's previously private API. One of the flaws revealed by the security company could allow an attacker to use the API to uncover Snapchat usernames, display names and whether accounts were private or not, if a phone number inputted into the Find Friends feature matched one listed by Snapchat's users.

Gibson Security  reported the potential flaws to Snapchat in August . Snapchat yesterday suggested it didn't ignore the initial report, stating it implemented rate limiting — capping the amount of phone numbers that can be entered into Find Friends in a given period — in August to prevent automated attacks that throw large lists of numbers at Find Friends.

Besides adding the opt-out option, Snapchat says it will introduce several other security changes, including bolstering the rate limiting. 

Snapchat is also implementing systems to make it easier for security researchers to responsibly disclose flaws in its systems. The company isn't offering any bug bounties, but the public can now email discovered security vulnerabilities to the dedicated address security@snapchat.com.

"We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns," the company said.

More on this story

Topics: Security, Apps, Privacy

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.