If you use Snapchat, your ephemeral photo and video messages aren’t the only things that could disappear.
Gibson Security, a group of anonymous hackers whose website describes members as “poor students with no stable source of income,” just published what it claims is Snapchat’s API and details two exploits that could purportedly allow would-be hackers to access the phone number and username of millions of Snapchat users. If the revealed code is accurate, it would also let just about anyone build a Snapchat copycat.
The hackers alerted Snapchat of the exploits back in August, but the messaging startup failed to take action on the vulnerabilities. The company reversed-engineered both iOS and Android APIs to discover the security flaws.
While ReadWrite couldn’t confirm the documentation does, in fact, allow people to scrape Snapchat users’ phone numbers, the group claims it isn’t difficult to find exploitations in the application. If it’s true, it could be bad news for Snapchat, an app that has suffered privacy scrutiny in the past.
The “Find_Friends” and “Bulk Registration” exploits allegedly allow a program to generate random phone numbers, and if one matches a Snapchat account, hackers could see usernames and display names of the account, as well as the privacy settings. Additionally, malicious coders might be able to use the exploits to create thousands of fake accounts.
“The use case where an evil party who wishes to stalk someone, the scraping for that could be done on a home computer in an afternoon with enough information,” a spokesperson for Gibson Security told ZDNet.
This isn’t the first time Snapchat’s security flaws have been exposed. Earlier this year, a researcher at Decipher Forensics in Utah revealed that snaps aren’t actually deleted from your phone, just hidden. While they’re difficult to access once deleted, they’re still stored in the device’s memory.
Snapchat Needs To Focus On Security
Not only did Gibson Security’s original security notifications go unanswered by Snapchat, but the security research firm told ZDNet that the problem could have been fixed “with ten lines of code.”
The hackers also noted that Snapchat’s claim that the majority of users who use the service are women is false. Based on the documentation, it’s impossible to tell users’ gender.
So what does this all mean? Essentially, unknown parties could access the personal information you’ve trusted to Snapchat, and can presumably also create fake accounts with random phone numbers. Snapchat is notoriously tight-lipped as to how many users are actually on the service, though it does claim 400 million messages are received daily.
If accurate, the newly exposed exploits from Gibson Security suggest that some, possibly even many, Snapchat accounts may well be spammers. We’ve reached out to Snapchat for comment and will update this post if we receive a response.
Update: Snapchat responded to Gibson Security’s allegations in a blog post on Friday. They confirmed it’s possible to scrape users’ information.
Image via RyanNagelmann on Flickr