Snapchat hack prompts release of updated messaging app

hacker in action

The makers of messaging software Snapchat are bringing out an updated version of the app, following the suspension of a website listing the usernames and phone numbers of 4.6 million of its users.

The SnapchatDB.info site was reportedly registered on 31 December by an unknown party based in Panama, and allowed visitors to download the usernames and phone numbers of Snapchat members.

In a statement, the brains behind SnapchatDB.info said its actions were aimed at putting "public pressure" on the messaging service to fix the exploit, and remind them that security and privacy should be at the forefront of what Snapchat does.

"It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does," it said in a statement to TechCrunch.

"Our main goal is to raise public awareness on how reckless many internet companies are with user information. It's a secondary goal for them, and that should not be the case."

The Snapchat app allows users to send pictures or video-based messages to others, which are permanently deleted within seconds of the recipient viewing them.

The Snapchat community is a place where friends feel comfortable expressing themselves and we're dedicated to preventing abuse.

The service reportedly handles more than 400 million messages each day, and as of December 2013 - boasts an active monthly user base of 30 million members

In the TechCrunch statement, the people in charge of the SnapchatDB.info site said they obtained the information through a recently discovered Snapchat exploit.

The exploit codes were published by Gibson Security researchers on Christmas Eve, along with the site's previously undisclosed APIs, and could allow hackers to match Snapchat usernames to people's phone numbers.

The app already offers similar functionality, in the form of its Find Friends feature. This allows users to uncover their friends' usernames if they already know their phone number.

In a website post, the researchers said they first flagged the existence of the exploits last August, but were less than impressed with Snapchat's response to it.

"Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them).

"Seeing that nothing had really been improved upon, we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking."

In a blog post, published last week, Snapchat acknowledged the Find Friends feature could be exploited by people with access to a large number of random phone numbers, who could then use these to uncover people's usernames.

However, in light of the breach, the company said it plans to rollout an updated version of the messaging app that will allow people to opt out of Find Friends once they've verified their phone number.

"We're also improving rate limiting and other restrictions to address future attempts to abuse our service," the company advised, in a blog post.

"We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com," it continued.

"The Snapchat community is a place where friends feel comfortable expressing themselves and we're dedicated to preventing abuse."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.