A legitimate feature for finding friends on Snapchat lacks rate limiting and can be abused, a security research group claims
A security hole in popular photo messaging service Snapchat could allow attackers to find the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.
The researchers published proof-of-concept code that abuses a legitimate feature of the Snapchat API (application programming interface) called "find_friends" to iterate through a large number of phone numbers and match them to Snapchat accounts.
Gibson Security first revealed this vulnerability in August, along with some other issues it found after reverse engineering the Snapchat API, the protocol used by Snapchat clients for Android and iOS to communicate with the company's servers.
Snapchat is a popular messaging application that also allows users to share photos, videos and drawings. It's best known for its photo self-destruct feature, where senders can specify a time period of a few seconds after which a picture viewed by the recipient is automatically deleted.
The Gibson Security researchers decided to release two exploits on Dec. 25 for the "find_friends" issue and a separate issue, because according to them, the company failed to fix the problems during the past four months.
The first exploit is a Python script that can iterate through a given set of phone numbers and return Snapchat account and display names associated with any of those numbers.
"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers)," the researchers said. "We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ -- we did the Z's -- in approximately 7 minutes on a gigabyte line on a virtual server."
The researchers estimate that an attacker could test at least 5,000 numbers per minute.
"In an entire month, you could crunch through as many as 292 million numbers with a single server," they said. "Add more servers (or otherwise increase your number crunching capabilities) and you can get through a seemingly infinite amount of numbers. It's unlikely Snapchat's end would ever be the bottleneck in this, seeing as it's run on Google App Engine, which (as we all know) is an absolute tank when it comes to handling load."
"Hopping through the particularly 'rich' area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes," the researchers said.
The "find_friends" feature is normally used by the Snapchat apps to help users find their friends by checking if any phone numbers in the their address books match Snapchat accounts. According to the Gibson Security researchers, the solution to prevent this feature from being abused is to enforce rate limiting for API queries.
A second issue identified by the Gibson Security researchers stems from Snapchat's lax registration requirements, which could allow attackers to register new accounts in bulk through the API. A separate script that can automate this process has been released as well.
Snapchat did not immediately respond to a request for comment.
Human Centred Design (HCD) has come a long way in the last decade with many forward-thinking organisations now asking for HCD teams on their projects. It’s increasingly seen as essential to unlocking innovation, driving superior customer experiences and reducing delivery risk.
If the FANG (Facebook, Amazon, Netflix, Google) sector and their measured worth are the final argument for the successful 21st Century model, then they are beyond reproach. Fine-tuning masses of algorithms to reduce human touchpoints and deliver wild returns to investors—all with workforces infinitesimally small compared to the giants of the 20th Century—has been proven out.
Marketers have made strides this year in sustainability with the number of brands rallying behind the Not Business As Usual alliance for action against climate change being a sign of the times. While sustainability efforts have gained momentum this year, 2020 is shaping up to be the year brands are really held accountable for their work in this area.
In this bonus last episode of this new podcast series, BrandHook MD, Pip Stocks, talks with former ANZ group general manager of marketing, Louise Eyres, talks about the importance of thinking like a customer and using intuition to solve customer painpoints.
Hey Vanessa, thanks for providing us the things marketers should know about data privacy. This was really an informative post.
astha sharma
5 things marketers should know about data privacy in 2020
Well, that's good to know that. Any other news you want to share here? I can't wait to see more.
Phil Godfrey
Queensland appoints first chief customer and digital officer
It's a pretty interesting article to read. I will learn more about this company later.
Dan Bullock
40 staff and 1000 contracts affected as foodora closes its Australian operations
If you think it can benefit both consumer and seller then it would be great
Simon Bird
Why Ford is counting on the Internet of Things to drive customer engagement
It's a good idea. Customers really should control their data. Now I understand why it's important.
Elvin Huntsberry
Salesforce CMO: Modern marketers have an obligation to give customers control of their data