Snapchat snafu is lesson to mobile app developers

In an era when hackers, friends or parents can view the messages you send back and forth, the idea of an online service whose photos and texts disappear seconds after being viewed to ensure privacy is appealing to many.

That’s why Snapchat has found millions of followers for its smartphone app.

But the startup found out this week that there’s another way user privacy can be invaded: Leveraging a vulnerability, hackers exposed the usernames and phone numbers of Snapchatters.

In an interview with CBC News, Ian Goldberg of the University of Waterloo’s cryptography, security and privacy group said the incident shows the vulnerabilities of smart phone apps.

In this case the vulnerability was an optional service called Find Friends that lets users enter their phone numbers in a field to find others who have that number in their address books.

In August a security research group called Gibson Security warned Snapchat there was a problem with its application programming interface (API) Then on Christmas Eve Gibson published a proof of concept code on how it might be done. Hackers did the rest.

On Dec. 27, Snapchat acknowledged that “theoretically” if someone uploaded every number in an area code — or every phone number in the U.S. — usernames could be mateched to phone numbers. But, it said it has recently added counter-measures.

Apparently it wasn’t enough.

On Thursday the service admitted that on New Year’s Eve an attacker released a database of partially redacted phone numbers and usernames. Snapchat now says it will soon release an updated version of the app allowing users to opt out of the Find Friends feature.

On the one hand, very little personal information was released — although having a phone number openly available puts people at risk of spam and identity theft. On the other hand, the incident is a lesson to all organizations with mobile apps: Security is still the number one issue no matter how little personal information is available.

Read the Snapchat blog here

Read the CBC story here

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web