Predictably, Snapchat user database maliciously exposed

Predictably, Snapchat user database maliciously exposed

Summary: Snapchat is a textbook example of why responsible disclosure is a failure.

SHARE:
TOPICS: Security
27

On January 1, 2014, an anonymous user announced the release of SnapchatDB and 4.6 million usernames and matched phone numbers in a Hacker News post.

The Snapchat accounts - even those marked 'private' - were exposed in a database hack that Snapchat knew about for four months, ignored, then told press last week was only "theoretical."

snapchat database hacked

According to SnapchatDB, the leak was made possible with a recently patched, but still useful exploit.

Hacking the database wasn't enough to merit a response

One week ago in December, we broke news that Researchers at Gibson Security published Snapchat code allowing phone number matching after exploit disclosures ignored.

GibSec highlighted several Snapchat exploits and they were arrogantly dismissed by Snapchat, but it looks like someone else has taken GibSec seriously.

The SnapchatDB website is gone, but the database was copied, torrented and mirrored (on Mega) widely prior to its removal.

Several websites immediately sprung up offering a tool for users to see if they're in the database leak. The source of the first and second disclosures, Gibson Security, created this Snapchat hack lookup tool.

The last two digits of each phone number in the hack dump were hidden. But SnapchatDB said full numbers would be revealed for interested parties, indicating the 4.6 million usernames and numbers will likely be sold to spam and phishing operations.

The linking of phone numbers to usernames in accounts from major cities within the United States and Canada is a private information disaster that could have been avoided if the company had acted when repeatedly warned.

Gibson Security told ZDNet that fixing the threat would have only cost Snapchat ten lines of code.

With publication of username matches to phone numbers, malicious entities can now hop-step to brute force account passwords, and cross-match data from other databases to compile profiles across multiple services for stalking, spamming, and more.

In the EU, a person's phone number is categorized as personal information, and falls under data protection laws.

Responsible disclosure is dead

Snapchat joins a long legacy of companies denying responsible disclosure by security researchers, only to be embarrassed when users become victims of the exact targeted attacks whose warnings went ignored.

In October, Apple told press that Apple can read your iMessages with an iMessage man-in-the-middle attack (hijacking and changing messages between iPhones in real time).

Like Snapchat, Apple downplayed the risks and attempting to discredit responsible security researchers by cavalierly labeling responsible disclosures as "theoretical."

In a statement to AllThingsD, Apple spokesperson Trudy Muller said: "iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so."

The same day as Apple's dismissal, we published video of the researchers giving us a live demonstration of iMessage interception and alteration between iPhones, directly proving Apple wrong.

Snapchat's story is disturbingly egregious; Gibson Security warned Snapchat in August of its security problems, and went public with claims when Snapchat refused to acknowledge what GibSec felt were issues that put users - such as themselves - at serious risk.

Snapchat did nothing. On Christmas Day, Gibson Security published Snapchat exploits (only a few of the ones GibSec found) in an attempt to spur Snapchat into action to take user safety and database security seriously.

Gibson said it was sick of Snapchat ignoring security researchers.

"That vulnerability is completely theoretical." - Microsoft

Like Apple Snapchat did not respond to ZDNet's request for comment - despite the fact that we first broke news and published technical information about security researchers' discoveries.

In fact, Snapchat admitted to Gibson Security that it first learned about the exploits from our pre-publication email requesting comment about GibSec's disclosures.

Both companies only responded to press outlets that have a record of reporting uncritically about the companies.

Unfortunately for Snapchat, TechCrunch wasn't buying it.

This behavior typifies the irresponsible behavior of companies both new and established when it comes to user security issues - notably different than the companies' behavior about company security issues.

In 1992 an early hacking group known as L0pht Heavy Industries posted a quote from Microsoft, "That vulnerability is entirely theoretical."

It was from an email exchange between L0pht and Microsoft, when the hackers responsibly disclosed the discovery of a security problem (one of the first buffer overflows) in their software.

The quote became the group's tagline, "Making the theoretical practical since 1992."

Publication of such a massive user name and number database gives weight to the other serious problems Gibson Security has uncovered.

Snapchat has ignored Gibson Security's revelation that a mass registration exploit shows there is no way to verify the validity of Snapchat user accounts - raising questions about Snapchat's actual user numbers, versus inflated reports.

Another glaring issue Snapchat has not acknowledged is the direct accusation that Snapchat had lied to its investors, notably Goldman Sachs, about user gender.

Snapchat currently has over five open job listings on its website, none of which include security positions.

ZDNet reached out to Snapchat prior to publication of this article, but the possibility of Snapchat's response is entirely theoretical.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Easy solution.... Bitcoin is the answer.

    A bitcoin wallet should be set up for all of those hacked to donate into, when a sufficient fund has accumulated then an open contract could then be issued on the head of those responsible for releasing the information, upon verified posting of death certificate/s of those involved the bitcoin wallet key is then sent to the winners.

    Since the psycho's in charge seem completely unable to do anything about the hackers, time for the people to take out the trash.
    Reality Bites
    • actually it should be those that collected the information...

      Since its inevitable that all collected information will ultimately be leaked, hacked, or otherwise exposed. The security community is ultimately responsible for stupidly instructing everyone to collect personal data which they should have realized could ultimately not be protected.
      greywolf7
      • Why those that collected?

        If someone stole your laptop and gained access to your contacts, who should be the target of the hit? It is exactly the same thing, just on a smaller scale. It is not a crime to collect info. It is a crime to steal the laptop (or the Snapchat database). In the old days, we had big paper phonebooks that publicly listed everyone's name, address, and phone number, and very few people lived in fear of someone knowing who they were. Only those who used that info to attack someone were considered criminals. We need to make it less attractive to use or sell the info. Let the FBI go old school and enlist G-men who hunt down and destroy the black market info brokers. I would imagine a team of NSA hackers paired with a team of Melvin Purvis style FBI killers...err i mean agents. Take away the easy monetary gain and you take away the incentive for stealing the info in the first place.
        Jaybus
      • Lamenting about how utterly inept the system is doesn't fix it

        Putting a price on the head of those that try to destroy the system fixes the problem 100%.

        It would only take the fulfilling of a couple of contracts and you would be amazed at how few hackers there would be.
        Reality Bites
        • Welcome to China Comrade!

          It is estimated that China executed over 3000 criminals last year, but there is still crime in China. Also, you might be surprised at the number passively suicidal deathwish hackers are out in the world.
          Christopher Daniels
  • And what happens the first time this data is used to track down...

    ...and stalk/harm/abuse one of Snapchat's users, the MAJORITY of which are obviously female, regardless of what the company claims.

    By ignoring these warnings and playing coy with their user's privacy, Snapchat, a company which could at one point have sold out for lumps of cash, just wrote etched their own tombstone in history. Idiots.
    Playdrv4me
    • The dangers of immature company leadership

      Considering the number of VCs who have funded the company, I would have expected them to demand some more experienced company leadership be put in place. They would have recognized the severity of the issue and the potential cost impacts.

      Supposedly Google offered $3B for the company, I wonder how many zeros this disaster will shave off the final price tag.
      terry flores
    • Those that released the information should be paying a very personal price.

      Those that wage war on fellow man are nothing but parasitic traitors, lead fixes their problem instantly. Ignorant hackers don't hack when they are dead.
      Reality Bites
  • Too bad

    This is unfortunate because I'm a huge fan of SnapChat and other privacy-based sites such as Ravetree and DuckDuckGo. Hopefully they can get this sorted out. It would be a MUCH bigger deal if google gets hacked because of all the personal information they collect about its users (including your browsing history information).
    chrisp114
    • Actually Google has been hacked

      But the people who did the hacking are not interested in selling personal info (yet).
      terry flores
    • Another service

      You should take a look at http://www.shizup.com
      Another service that values our privacy...
      tamirw
  • Why all the armageddon talk?

    They now know the phone number and snapchat username.... It's pretty useless stuff really?

    Total fail on snapchat's part! I'd say the ability to recover messages on jailbroken/rooted devices was potentially a far greater invasion of privacy.
    MarknWill
  • Just curious....

    I'm sure these "security researchers" are benevolent folks whose entire mission in life is to protect us from information leakage completely free of charge... or is it more like.... Hey Snapchat...our hacke...I mean "researchers" have found a way into your database....please hire our security firm to identify these problems for you....or we will make sure they are released to the public. It only takes 10 lines of code to fix the problem....it you know exactly where in the millions of lines of code the problem is of course. Should I as the end user be happy that there is a "market" for finding security holes. Will this lead to better security as a whole? -- what could Snapchat have done to make the security firm confident that their concerns were being addressed? Somehow...I doubt that we are seeing the entire picture in this article. If someone threatens to post your personal information on the web UNLESS YOU DO SOMETHING...it sounds like extortion....but when a security firm does it....it's legitimate research. I feel so much better now.
    b0b0rama
    • The 'researchers' are the criminals

      Why doesn't anyone else see what is absolutely obvious to boborama and myself? They may call themselves 'researchers' , but they are extortionists! The 'researchers' at Gibson Security are the ones who self fulfilled their own prophecy and released the private info, and why? Because Snapchat wouldn't pay them their blood money!

      For individual users, just don't put anything you don't want sold and/or exploited online, period.
      Froggey1
      • The 'researchers' are the criminals

        Actually Snapchat could have hired anyone they wanted to find the exploit that Gibson Security researchers found so no extortion here. Gibson had no hold over Snapchat.

        Now days all these companies should encrypt all information in the database so stealing the database would be worthless unless they managed to steal the key too. Yes it could be a lot of overhead but worth it in the long run. Target a recent example that didn't encrypt the information they kept.

        Jeffery
        JefferyS_TheTech
  • Stupid Question

    Why on earth would you put "Real" information when you fill out account info on these "Social Media" sites. You are not criminally responsible if you lie on the application for account.
    Security is as much the responsibility of the individual as it is the site owner. I am not giving a pass to the web site owner, but am saying, "Don't put real information on social media sites if you don't want people to use it."
    As far as Europe is concerned, I have always like the stronger privacy laws they enacted. I wish the United States would strengthen their privacy laws. Until then use fake credentials.
    george@...
    • Actually, it is criminal to lie ...

      The Computer Fraud and Abuse Act (CFAA)and the existing computer fraud law (18 U.S.C. § 1030) have been interpreted to make illegal any "unauthorized access" including access obtained by violating the terms of services. So if they require your true name and you provide a false one to obtain access to their service, you have potentially committed a Federal crime.
      terry flores
      • Over simplified application of federal ineptitude

        You cannot steal something that is free, therefore a fictitious identity on any social waste-of-time site is not a crime because there is no financial loss to the service provider.

        If there was a fee for the social waste-of-time site and you believe that the service providers terms of service violate your 5th amendment rights to privacy, or any of your civil rights, you can use a fictitious identity to protect your civil rights.

        The only financial loss would be the inability for the service provider to sell your personal information for profit, which you do not have to agree to if you believe it violates your privacy rights, so providing a fictitious identity is your right as a citizen.

        Blaming the data loss on "hackers" is so laughable it becomes wondrous that anyone's gullible enough to believe that - Either insiders at snapchat grabbed the data to sell it for profit or it just the NSA grabbing more data to complete just one more wiring diagram of associations and activities of American citizens.

        Either way it's pretty irrelevant to physical reality.
        Makes Things
  • So, the headline said snapchat,

    but in reality, you wanted to slam Apple.
    baggins_z
    • As much as I like seeing Apple slammed :) I don't think they did here

      I think the point here was that software companies, starting with Microsoft in 1992, and more recently with Apple, and now Snap Chat tend to ignore threats brought to light by outside companies. At least once. Then once they get burned they refocus.
      Arcanha