Snapchat may have had less than a happy New Year thanks to the authors of SnapchatDB.info. The site, released on December 31, features approximately 4.6 million Snapchat users’ username, phone number, and area-code-derived geographical region. These records were collected using an exploit published by Gibson Security who has been exploring the undocumented Snapchat API for some time. This exploits, named the find_friends exploit, gives an easily scriptable way to check a list of phone numbers for associated Snapchat usernames. A small sample of the SnapchatDB data:
As Gibson Security and SnapchatDB strongly assert, it does pose a risk to users who entrust this personal information to social sites and apps. If spammers have a phone number and a username then they can send a customized spam message, that a user is more likely to respond to. In the first half of 2013, Cloudmark and others observed SMS spammers exploiting a similar vulnerability on Facebook, which allowed the spammers to lookup people’s names via entering a phone number. This allowed them to match the phone number with a name, and then send personalized spam text messages.
heyy David! You look sexy in your facebook pic ^.^ You should look me up on Y.ah.oo so we can get naughty haha. My id is: [redacted]
Personalized spam text messages make the recipient more vulnerable to the attack, because the person is more likely to believe that the person sending the text knows them, and they’re more likely to respond or to take the action requested in the message. For those who recognized that the messages were spam, the messages were just as annoying and resulted in a high level of complaints from the Facebook attack being forwarded to the 7726 spam reporting service.
So far Cloudmark has not observed any data that would suggest that the spammers have exploited the Snapchat API for the purpose of sending spam. Gibson Security and SnapchatDB claim that they wanted Snapchat to take action to make their API more secure, and that they released the data, to force Snapchat to take action. So far there’s no evidence that spammers have used the data, although they could.
Sending text spam or text phishing is not the only way for data to be misused, correlation between various other data sets can also be nefariously used against those Snapchat users who share a common username across other social media platforms such Twitter or Facebook.
Since August, Gibson Security has made attempts to bring this issue to Snapchat’s attention, but the issues outlined were thus far gone unresolved prior to the publication of the exploit on Christmas morning (in Sydney, Australia).
According to the Australian team, they were contacted on Dec. 28th by Snapchat’s Director of Operations, but Gibsonsec has as of yet not received a reply to their initial response. In a discussion with Techcrunch, SnapchatDB cites Snapchat’s unresponsiveness regarding these exploits as the chief reason for their release. It appears that they hope to put a spotlight on “…on how reckless many internet companies are with user information.”
Fortunately, the creators of SnapchatDB were thoughtful enough to censor the released phone numbers by a redaction of each phone numbers’ last two digits. This, as they put it, was “… in order to minimize spam and abuse.” It seems that these efforts may have met with moderate success. Snapchat issued a statement yesterday outlining their current efforts, countermeasures, and updates.