Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored
Hackers have made sure that popular photo sharing app Snapchat got a hearty lump of coal for Christmas.
Read this
After having its security disclosure go ignored since August, Gibson Security has published Snapchat's previously undocumented developer hooks (API) and code for two exploits that allow mass matching of phone numbers with names and mass creation of bogus accounts.
The Australian hackers announced its publication of Snapchat's API and the two exploits on the GibSec Twitter account on Christmas Eve — which by time difference is Christmas Day in Australia.
Now anyone can build an exact clone of Snapchat's API and stalk the popular app's alleged 8 million users.
Snapchat is a popular Android and iOS application, especially with younger users — and has an unwanted reputation for sexual content sharing. The app allows users to exchange photos, videos or messages that Snapchat states vanish in 10 seconds or less once they are opened.
Google Play currently lists the Snapchat Android app as having been installed between 10 million and 50 million times. In June, Snapchat raised over $60 million in VC funding with an $800 million valuation.
Snapchat names, aliases, and phone numbers can be discovered and harvested via the Snapchat Android and iOS API — even if the user's account is private.
Gibson Security told ZDNet via email the metadata could be used in conjunction with other APIs to "automatically build profiles about users, which could be sold for a lot of money."
He added: "People could operate a service similar to ssndob.cc (see here), where you could pay a few dollars and obtain the phone number and social media profiles of a person, just by their username."
This, he said, could also be used for targeted scamming, but also for stalking, which he described as his "biggest worry."
"You could find someone's phone number in minutes provided you know the general area they live in,"
Snapchat turned down an offer from Facebook to buy it for $3 billion in November, underscoring Gibson Security's statement about the value of selling a user profile database.
The 'Find Friends' exploit and the 'Bulk Registration' Exploit
The code published at the end of Gibson Security's drop today is fully functional.
The hackers told ZDNet the first script, known as the "find_friends" exploit, takes in a list of phone numbers, which the script could be made to generate, and "obtains the Snapchat username of anyone with a number in that range."
With the now-published "Find Friends Exploit" a malicious entity can use the Snapchat API to write an automated program that generates phone numbers to exhaustively search the Snapchat database for users. This allows them to obtain a "1:1" link between a person's phone number and their Snapchat account.
"The... exploit could be used to create thousands of accounts, which could be used for spam." — Gibson Security
When the phone number matches a record of a Snapchat user, the malicious entity will get a record that includes the username, the associated display name, and whether the account is private or not.
The Bulk Registration exploit, like the Find Friends exploit, has been a known issue for at least four months but is now officially published.
Gibson Security explained: "The mass registration exploit could be used to create thousands of accounts, which coud be used for speeding up the above process, or possibly for spam."
He also stressed the dangers of user privacy and safety with what it the security firm discovered in August.
"The use case where an evil party who wishes to stalk someone, the scraping for that could be done on a home computer in an afternoon with enough information," he added. "So yeah, it's pretty bad."
Could have been fixed "with ten lines of code"
Snapchat has known about this security issue since Gibson Security notified the company in August. He then published a security advisory the same month after no response or action had been taken by the Stanford startup.
In email correspondence, he explained the security hole could have been fixed with ten lines of code:
"[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they're vulnerable. They've had four months, if they can't rewrite ten lines of code in that time they should fire their development team. This exploit wouldn't have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app)."
The hackers reverse-engineered Snapchat's Apple iOS and Android API in August, revealing the security holes which could allow this type of malicious attack on Snapchat and its users.
Snapchat did not respond to the hackers when they notified the company, or at any time since then.
Hackers: Snapchat 'lied to press, investors'
Gibson Security stated in its Chrismas release they have evidence that Snapchat's marketing claims are not true.
The hackers say there is no way Snapchat's claim to press and its investors to have a majority-female userbase can be true.
He explained that if Snapchat didn't get that information from an analytics provider such as Nielsen, there is "no way they could obtain this information."
He added:
This link is the message sent by the Snapchat client during registration (documented by us), do you see any mention of gender? In the entire protocol we didn't see anything relating to gender too, so saying 70 percent of Snapchats users are women makes no sense at all.
Indeed, even if Gibson Security's statement is correct, it now appears that anyone who reverse-engineered Snapchat's API could have written a script to register false accounts in the tens, if not hundreds of thousands. It's impossible to know what percentage of Snapchat's accounts are valid.
Hackers "sick of" Snapchat ignoring security researchers
When ZDNet asked Gibson Security why they chose to publish the API and code for exploit scripts, Gibson justified the move claiming the reverse engineering project began as fun."
"We found several exploits (some of which aren't released) and eventually we decided to release them in our initial disclosure (27/08/2013)," he said.
"After getting no response from Snapchat during that time, we decided to release on Christmas day. We also saw Evan Spiegel's company send unlawful take down notices to open source Snapchat clients, as well as disregard a major flaw of his app, how easily snaps are decrypted."
Then we got pretty sick of Snapchat's (who we haven't heard from at all) attitude towards the [open-source software] community and security researchers," he added, which led to the release.
Gibson Security elaborated on the "Find Friends" exploit in an email outlining the researchers' concerns.
Our testing (on unused ranges) allowed us to scan 10k phone numbers in 7 minutes, on a gigabit line, which we believe could be easily improved to scan 10k in around a minute and a half.
Now with Nielson recording 8 million users of Snapchat in June of this year, we believe you could scan the entire user-base of Snapchat in 20 hours on a gigabit connection using the following formula:
hours = user_base / 10000 * 1.5 / 60
(Note, the formula would be quite the underestimate, due to it requiring every Snapchat users phone number to be in succession, but 20 hours is nothing, especially when you can target specific areas via phone ranges).
This would only cost $10 for the server, and adding more would improve times dramatically.
$50 is little investment for someone who wants to be able to link usernames (and social media profiles that share those usernames) to phone numbers, and this would let you scan the database in a measly 4 hours, giving you lots to obtain a detailed database.
In an entire month with your five-gigabit connections from the $50 you paid to a server provider, you could scan 1460000000 numbers on Snapchat.
numbers = (((730 * 60) / 1.5)*10000)* servers)
(there are 730 hours in a month, change servers to 5 to get our result btw)
We put in questions to Snapchat prior to publication, but the company did not respond.