Tuesday, December 31, 2013

10:10 PM
snapchatDB screenshot

A site called SnapchatDB.info claims that they’ve saved usernames and phone numbers for 4.6 million accounts and made the information available for download. SnapchatDB says that it got the information through a recently identified and patched Snapchat exploit and that it is making the data available in an effort to convince the messaging app to beef up its security. We’ve reached out to Snapchat and SnapchatDB for comment.


SnapchatDB said it “censored the last two digits of the phone numbers” in order to “minimize spam and abuse,” but that it still might release the unfiltered data, including millions of phone numbers.


The Next Web did a WHOIS lookup on SnapchatDB’s domain and found it was created just yesterday on December 31. The registrant’s name is protected, but its mailing address and contact number are both listed in Panama.


The site appears to have been created in response to recently identified flaws in Snapchat’s security. Last week, ZDNet published an article on how white-hat Gibson Security researchers had tried to alert Snapchat to ways that hackers would connect usernames to phone numbers for user in stalking, but were ignored. Gibson Security then published the exploit publicly on Christmas Eve.


The firm said that hackers could use two exploits to gain access to users’ personal data, including their real names, usernames and phone numbers, through Snapchat’s Android and iOS API. Snapchat did offer a public statement, but as TechCrunch’s Josh Constine wrote, it wasn’t very satisfactory because it did not offer details on how its countermeasures would work, such as rate limiting, bad IP blocking, or automated systems that scan suspicious activity. Snapchat said:



“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.”



To be sure, SnapchatDB might be a prank meant to call attention to these issues. On Hacker News, several people have had trouble downloading the data files (I just got an error message for both of them, but that may be because of high traffic). Some commenters who did manage to get ahold of the files said they couldn’t find their own numbers in the lists and entire area codes appeared to be missing.


Either way, the Gibson Security report and SnapchatDB are both reminders that even in an ephemeral messaging service, it would be a mistake to be lulled into a sense of security about the information that you do have stored with the app. “People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with,” SnapchatDB stated on the site.







0 comments:

Post a Comment

 
Google Analytics Alternative