After claiming the makers of SnapChat repeatedly ignored their disclosures over a period of four months, Gibson Security recently published the full details of a pair of bugs in the photo and video sharing application. One could give an attacker the ability to connect phone numbers with usernames on a massive scale, while another could enable the creation fake accounts.
The researchers claim their exploits impact the latest version of SnapChat on the iOS and Android operating systems.
The so-called “find_friends” exploit essentially gives any logged in user the ability to enter a random (or not so random) U.S. phone number and figure out if there is a SnapChat account associated with that number.
This is the bug that Gibson Security claims to have disclosed to SnapChat back in August. The researchers claim that SnapChat has done nothing to fix the issue in the meantime.
With a little quick math, the researchers claim they could burn through 292 million standard, U.S.-style phone numbers in a month with their specially made python script and a virtual server. Whichever of these hundreds of millions of numbers are associated with a SnapChat accounts would be known to the attacker running the script.
The second exploit, though the researchers claim it is less of an exploit and more an issue with lax registration controls, could allow anyone to create account with two simple requests: “/bq/register” and “/ph/registeru.”
Gibson Security researchers told ZDNet that malefactors could potentially use the second, mass registration exploit to create thousands of accounts in order to disseminate spam and other bad things.
Regarding the friend finding exploit, they also told ZDNet’s Violet Blue, who broke the story on Dec. 25, that an attacker could leverage the very public SnapChat API along with their exploit to easily pair registered numbers and the usernames associated with them – whether those user accounts are private.
SnapChat is a photo and video sharing service whose selling point is that shared photos and videos are ephemeral. Once a ‘Snap’ is opened by the recipient, it is viewable for ten or so seconds before disappearing forever. Because of this, SnapChat reputedly used as a mechanism for for sharing lewd photos. Of course, the claim that the photos are temporarily viewable is dubious at best. Recipients can easily take a screenshot of a snap and there are even applications that allow recipients to save snaps altogether. Beyond that even, reports emerged in October that the company was sharing data with law enforcement when compelled to do so, further stressing the claim that all photos are deleted.