For a photo- and video-sharing app based around privacy, Snapchat sure has a lot of security holes floating around. At one time, you were able to take screenshots of Snapchats in iOS 7 without the sender knowing, which is something that you can still do on rooted Android devices.
But that all pales in comparison to the security holes lurking in Snapchat's API, which was just recently released to everyone online by Gibson Security—along with the code for two important exploits.
GibsonSec first revealed these security holes to Snapchat back in August, but after no response and no patches, GibsonSec gave malicious hackers and spammers a nice Christmas present with the code for the exploits.
The first flaw takes advantage of Snapchat's "Find Friends" feature, which allows Android and iOS users to find friends on Snapchat using their phone numbers.
The "Find Friends Exploit" makes it possible for someone to use a script that can go through a list of phone numbers, finding matches with registered Snapchat users—even if they are listed as private—and harvesting an inventory which could then be used for spamming, or to sell to spammers at a high cost.
Not only can they match your Snapchat display name, username, and phone numbers, but they could also find your linked social profile. And they can do it fast.
GibsonSec stated in their release that they "...were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z's) in approximately 7 minutes on a gigabit line on a virtual server."
They go on to say that it could be done in less than a minute and a half, covering anywhere form 5,000 to 7,000 numbers. "In an entire month, you could crunch through as many as 292 million numbers with a single server."
The second security flaw takes advantage of the easy registration requirements, which would let someone use the API and an automated script to create Snapchat accounts in bulk, which could then be used to spam real users.
Not really. Not unless Snapchat fixes their API, which GibsonSec says requires only 10 lines of code. You could always delete your Snapchat account, but that doesn't mean your information isn't still there for the grabbing. They may delete your images and videos off of their servers, but who knows about your account info.
It’s Black Friday week in the Gadget Hacks shop! Huge sales on Bluetooth speakers, phone mounts, online courses, and more. The biggest discounts are on online classes, and we’ve hand-picked our 10 favorites for you. Check them out!