The Australian hackers announced its publication of Snapchat's API and the two exploits on the GibSec Twitter account on Christmas Eve — which by time difference is Christmas Day in Australia.
Now anyone can build an exact clone of Snapchat's API and stalk the popular app's alleged 8 million users.
Snapchat is a popular Android and iOS application, especially with younger users — and has an unwanted reputation for sexual content sharing. The app allows users to exchange photos, videos or messages that Snapchat states vanish in 10 seconds or less once they are opened.
The 'Find Friends' exploit and the 'Bulk Registration' Exploit
The code published at the end of Gibson Security's drop today is fully functional.
The hackers told ZDNet the first script, known as the "find_friends" exploit, takes in a list of phone numbers, which the script could be made to generate, and "obtains the Snapchat username of anyone with a number in that range."
With the now-published "Find Friends Exploit" a malicious entity can use the Snapchat API to write an automated program that generates phone numbers to exhaustively search the Snapchat database for users. This allows them to obtain a "1:1" link between a person's phone number and their Snapchat account.
"The... exploit could be used to create thousands of accounts, which could be used for spam." — Gibson Security
When the phone number matches a record of a Snapchat user, the malicious entity will get a record that includes the username, the associated display name, and whether the account is private or not.
The Bulk Registration exploit, like the Find Friends exploit, has been a known issue for at least four months but is now officially published.
Gibson Security explained: "The mass registration exploit could be used to create thousands of accounts, which coud be used for speeding up the above process, or possibly for spam."
He also stressed the dangers of user privacy and safety with what it the security firm discovered in August.
"The use case where an evil party who wishes to stalk someone, the scraping for that could be done on a home computer in an afternoon with enough information," he added. "So yeah, it's pretty bad."
Could have been fixed "with ten lines of code"
Snapchat has known about this security issue since Gibson Security notified the company in August. He then published a security advisory the same month after no response or action had been taken by the Stanford startup.
In email correspondence, he explained the security hole could have been fixed with ten lines of code:
"[Snapchat could have fixed this] by adding rate limiting; Snapchat can limit the speed someone can do this, but until they rewrite the feature, they're vulnerable. They've had four months, if they can't rewrite ten lines of code in that time they should fire their development team. This exploit wouldn't have appeared if they followed best practices and focused on security (which they should be, considering the use cases of the app)."
The hackers reverse-engineered Snapchat's Apple iOS and Android API in August, revealing the security holes which could allow this type of malicious attack on Snapchat and its users.
Snapchat did not respond to the hackers when they notified the company, or at any time since then.
The hackers say there is no way Snapchat's claim to press and its investors to have a majority-female userbase can be true.
He explained that if Snapchat didn't get that information from an analytics provider such as Nielsen, there is "no way they could obtain this information."
This link is the message sent by the Snapchat client during registration (documented by us), do you see any mention of gender? In the entire protocol we didn't see anything relating to gender too, so saying 70 percent of Snapchats users are women makes no sense at all.
Indeed, even if Gibson Security's statement is correct, it now appears that anyone who reverse-engineered Snapchat's API could have written a script to register false accounts in the tens, if not hundreds of thousands. It's impossible to know what percentage of Snapchat's accounts are valid.
(Note, the formula would be quite the underestimate, due to it requiring every Snapchat users phone number to be in succession, but 20 hours is nothing, especially when you can target specific areas via phone ranges).
This would only cost $10 for the server, and adding more would improve times dramatically.
$50 is little investment for someone who wants to be able to link usernames (and social media profiles that share those usernames) to phone numbers, and this would let you scan the database in a measly 4 hours, giving you lots to obtain a detailed database.
In an entire month with your five-gigabit connections from the $50 you paid to a server provider, you could scan 1460000000 numbers on Snapchat.
numbers = (((730 * 60) / 1.5)*10000)* servers)
(there are 730 hours in a month, change servers to 5 to get our result btw)
We put in questions to Snapchat prior to publication, but the company did not respond.