According to a "Snapchat Security Advisory" published by Australian researchers, Snapchat names, aliases and phone numbers can be discovered and harvested via the Snapchat Android and iOS API - even if the Snapchat account is private.
Gibson Security discovered a range of disturbing security holes when it reverse-engineered the popular photo and video sharing app, including what it believes to be unsecure encryption practices (two encryption keys across all users) and code for in-app ads.
Gibson Security has informed ZDNet that "The API reversed isn't just used for Android, but iOS too. Both platforms are vulnerable."
ZDNet has contacted Snapchat for comment and will update this article accordingly.
According to the researchers, using the Snapchat API a malicious entity can write an automated program that generates phone numbers to exhaustively search the Snapchat database for users.
Gibson Security calls this the "Find Friends Exploit."
When the phone number matches a record of a Snapchat user, the malicious entity will get a record which includes the username, the associated display name, and whether the account is private or not. "Doing this, you can make a 1:1 link between a person's phone number and their Snapchat account. Handy feature? Yes. Easily exploitable? Definitely."
With the "Find Friends Exploit" the security firm explained its concerns to ZDNet, saying:
Internet trolls and stalkers could use this information to harass people in real life, unmasking the anonymity and privacy Snapchat provides.
The scariest part for us is the possibility of a company utilizing this exploit on a massive scale, only to sell a database of Snapchat names, phone numbers and locations to a third party.
With little work, a malicious party could steal large amounts of data and sell it on a private market, and that's highly illegal.
Gibson's Security Advisory explains, "Snapchat use [SIC] a fairly simple (yet strangely implemented) protocol on top of HTTP. We won't reveal anything about the protocol, only what is needed for these problems, but the rest is easily figured out. We are privacy conscious, being users of the service ourselves."
ZDNet asked Gibson Security ("GibSec") if it had contacted Snapchat to report the security issues.
GibSec told ZDNet, "Snapchat aren't exactly easy to get hold of" and the firm "attempted to apply for the Software Developer position at Snapchat we would gladly help improve the security and performance of the application but failed to get a response."
Gibson Security's Advisory page says it believes that using GibSec's API implementation, a bad actor could potentially save sent media, DoS (Denial of Service) Snapchat users, build a database of usernames and phone numbers, connect names to aliases "easily" and "with further work" connect social media accounts to Snapchat identities.
The researchers stress that they believe if someone was able to gain access to Snapchat's servers they could easily view, modify or replace snaps being sent.
GibSec wrote, "With a couple lines of Python, someone could view all your unread messages, and depending on the situation, modify and even replace the images completely."
Snapchat is a popular Android and iOS application, especially with young users - and has an unwanted reputation for sexual content sharing - where users exchange photos, videos or messages that Snapchat states vanish in 10 seconds or less.
Google Play currently lists the Snapchat Android app as having been installed between 10,000,000 - 50,000,000 times. In June Snapchat raised over $60 million in VC funding with an $800 million valuation.
One month before Snapchat's valuation, Richard Hickman of Decipher Forensics similarly published a security examination in May, demonstrating that Snapchat photos do not actually disappear and that using forensics software, the images can still be retrieved after the time limit expires.
Snapchat's Law Enforcement Guide states that if the file is not viewed by the recipient, it remains on Snapchat's servers for 30 days, and that its servers retain a log of the last 200 sent and received "snaps" but claim that no actual content is stored.
According to Gibson's documentation, Snapchat uses two easily-discoverable encryption keys for all of its users - and one is a very recent addition.
Snaps are encrypted using AES in ECB mode.
This is possibly one of the least effective modes of encryption; identical blocks of plaintext are encrypted into identical blocks of ciphertext.
Granted, this is only an issue if you use the same encryption key, which leads us to our next point.
Snaps are encrypted using symmetric-key encryption!
The key is the same in both the Android and iOS app, and it's just sitting around in the app waiting for someone to find it.
Gibson Security thinks that the issues it claims to have found with Snapchat's encryption "were put in place only after the lack of secure transmission and data encryption was brought up publicly."
GibSec said it made another discovery as well - code for an intrusive timeline "snap" that isn't generated by users.
Whilst we were browsing the latest changes to the Android client, we came across a new addition which caught our eyes.
The updated Snapchat application contains code which when executed was discovered to show a persistent notification (displayed in a similar form to media notifications) that would only hide when a displayed URL was opened (by double clicking) in the user’s native browser, leading Gibson Security to believe it will be used for service-wide notifications and advertising.
If this is Snapchat preloading code for its much-discussed upcoming advertising implementation, GibSec says it thinks the implementation of ads are going to disrupt and annoy Snapchat users. The researchers wrote,
They're fairly obtrusive, which will definitely hassle users: they float to the top of your feed (...)
You can only dismiss them by opening them - this takes you out of the app, which might take a while for users with slower devices.
The Australia-based security company told ZDNet how Snapchat could fix the security issues in its Advisory and protect its users from the vulnerabilities GibSec described in its findings.
Snapchat would need to implement strict rate limiting with their API, and also look at the several other counter-measures we mentioned at the bottom of our zine, such as auditing (internal and external).
To prevent the insecure transport of media, Snapchat needs to change the cryptographic technology used by the service, with audits performed preferably by cryptologists rather than your run-of-the-mill engineer.
In its conclusion, Gibson Security suggested that Snapchat is most likely under typical early startup pressures to work quickly, and thus make decisions that may benefit the startup in the short term but overlook the investment of long-term thinking in regard to user security.
ZDNet awaits comment and clarification from Snapchat.