A seemingly secure service was hardly that as attackers published a list of 4.6 million Snapchat usernames and phone number matches.
Snapchat is a popular photo messaging app/service that bases its success on having photos and messages “self-destruct” a few seconds after a recipient views them.
Security researchers have long had a problem with the service, saying it gives a false sense of security to the users as it cannot guarantee the recipient won’t make a screenshot of the received message and, thus, manage to keep it and misuse it.
But the latest trouble does not stem from this particular problem. Rather, it was the result of a group of researchers that chose to publicly disclose details about several Snapchat vulnerabilities they found late this past summer.
Initially, they contacted the company and shared that information with them in the hopes it would react promptly and fix the holes in a reasonable amount of time.
After four months, the holes were still there so the researchers who go by the name of Gibson Security decided to share the vulnerability information and proof-of-concept exploit code with the public.
One of the vulnerabilities allows (registered) attackers to use the Snapchat API to look up a seemingly unlimited number of phone numbers in order to discover whether those phone users are also using Snapchat. As users’ usernames tie to a phone number, the flaw allows the compilation of a huge database that can end up used for spamming and stalking.
Last week Snapchat said the attack was theoretical. That ended this week when an unknown party published a list of 4.6 million usernames and phone numbers of Snapchat users.
The site where the names appeared ended up shut down fairly quickly, but not before folks downloaded the list and shared it online.
“This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” the attackers confirmed in a notice posted on the now-defunct site.
The attacking party decided to censor the last two digits of the phone numbers in order to minimize spam and abuse, but they could, “under certain circumstances,” disclose the uncensored database.