Snapchat will offer a way for users to prevent themselves from being exposed to a repeat of the privacy leak that affected 4.6m of its users on New Years eve.
Nearly four months after first being warned its Find Friends feature was open to abuse, the ephemeral messaging service has announced plans to update its Android and iOS apps to allow users to opt-out of appearing in its Find Friends database. While Snapchat users previously didn't need to provide their phone number to use the service, the company encouraged the practice so users could find other people they knew that were already using the app.
The planned update, announced by Snapchat yesterday, comes in response to the leak earlier this week of 4.6 million Snapchat usernames and phone numbers, which hackers had gained by exploiting the Find Friends privacy flaw that Snapchat had previously dismissed as "theoretical".
Gibson Security published details of two flaws in Snapchat on Christmas Day, along with Snapchat's previously private API. One of the flaws revealed by the security company could allow an attacker to use the API to uncover Snapchat usernames, display names and whether accounts were private or not, if a phone number inputted into the Find Friends feature matched one listed by Snapchat's users.
Gibson Security reported the potential flaws to Snapchat in August. Snapchat yesterday suggested it didn't ignore the initial report, stating it implemented rate limiting — capping the amount of phone numbers that can be entered into Find Friends in a given period — in August to prevent automated attacks that throw large lists of numbers at Find Friends.
Besides adding the opt-out option, Snapchat says it will introduce several other security changes, including bolstering the rate limiting.
Snapchat is also implementing systems to make it easier for security researchers to responsibly disclose flaws in its systems. The company isn't offering any bug bounties, but the public can now email discovered security vulnerabilities to the dedicated address firstname.lastname@example.org.
"We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns," the company said.