In an era when hackers, friends or parents can view the messages you send back and forth, the idea of an online service whose photos and texts disappear seconds after being viewed to ensure privacy is appealing to many.
That’s why Snapchat has found millions of followers for its smartphone app.
But the startup found out this week that there’s another way user privacy can be invaded: Leveraging a vulnerability, hackers exposed the usernames and phone numbers of Snapchatters.
In an interview with CBC News, Ian Goldberg of the University of Waterloo’s cryptography, security and privacy group said the incident shows the vulnerabilities of smart phone apps.
In this case the vulnerability was an optional service called Find Friends that lets users enter their phone numbers in a field to find others who have that number in their address books.
In August a security research group called Gibson Security warned Snapchat there was a problem with its application programming interface (API) Then on Christmas Eve Gibson published a proof of concept code on how it might be done. Hackers did the rest.
On Dec. 27, Snapchat acknowledged that “theoretically” if someone uploaded every number in an area code — or every phone number in the U.S. — usernames could be mateched to phone numbers. But, it said it has recently added counter-measures.
Apparently it wasn’t enough.
On Thursday the service admitted that on New Year’s Eve an attacker released a database of partially redacted phone numbers and usernames. Snapchat now says it will soon release an updated version of the app allowing users to opt out of the Find Friends feature.
On the one hand, very little personal information was released — although having a phone number openly available puts people at risk of spam and identity theft. On the other hand, the incident is a lesson to all organizations with mobile apps: Security is still the number one issue no matter how little personal information is available.