The popular photo sharing Android and iOS app, Snapchat may have some security issues that need to be immediately addressed, according to Gibson Security which is a group that claims to have hacked Snapchat’s API, which is currently not publicized. There are two exploits, the find_friends exploit and the Bulk Registration exploit.
Find_Friends
The first of the two takes in a set of phone numbers and can match them to a username if that is enabled by the user being found or not. This could even lead to spam. When the phone number matches the record of a Snapchat user, the hacker will get a record that includes the username, its associated display name, and whether the account is private or not.
Bulk Registration
The second exploit is the Bulk Registration which sounds exactly like what you would think: it creates thousands of Snapchat accounts, which then would make it easier to run the find_friends exploit even faster.
With this, anyone can build an exact clone of Snapchat's API and stalk the popular app's alleged 8 million users. Snapchat names, aliases, and phone numbers can be discovered and harvested via the Snapchat Android and iOS API — even if the user's account is private.
The Security team had presented the issues to Snapchat in August saying anyone can save media that is sent to them, create a database of usernames and phone numbers and connect names to aliases and then to social media accounts. It could even hit a user with a denial-of-service (DoS) attack but these issues are still not addressed and warn they pose serious threat for users.
Gibson Security group explained that the problem could have been fixed earlier with just ten lines of code, but Snapchat ignored their warnings and they felt they had to act. Gibson cautions that both scams and stalking are possible as a result of the security breach which is being overlooked by Snapchat. Hackers could use the phone numbers that they use to uncover the actual identities of users as well as their general locations. They could even use the data gathered to create a profit-making database wherein Snapchat users’ phone numbers and social media profiles could be purchased by anyone providing only the individual’s Snapchat username.
But Snapchat dismisses any concern regarding security hole. Snapchat says it has recently added additional counter-measures and continues to combat spam and abuse, adding that the hack sounded 'impractical'.
There are no details on how these counter-measures work, such bad IP blocking, rate limiting or automated systems that scan suspicious activity that may be someone trying to match names and numbers. This vagueness could keep the new barriers from being evaded, but it doesn’t offer much comfort to users.
Let’s see whether it is really safe snapping or not.
Author : Iman Majeed
0 comments:
Post a Comment