Attackers could match phone numbers to Snapchat accounts, researchers say

A legitimate feature for finding friends on Snapchat lacks rate limiting and can be abused, a security research group claims

A security hole in popular photo messaging service Snapchat could allow attackers to find the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.

The researchers published proof-of-concept code that abuses a legitimate feature of the Snapchat API (application programming interface) called "find_friends" to iterate through a large number of phone numbers and match them to Snapchat accounts.

Gibson Security first revealed this vulnerability in August, along with some other issues it found after reverse engineering the Snapchat API, the protocol used by Snapchat clients for Android and iOS to communicate with the company's servers.

Snapchat is a popular messaging application that also allows users to share photos, videos and drawings. It's best known for its photo self-destruct feature, where senders can specify a time period of a few seconds after which a picture viewed by the recipient is automatically deleted.

The Gibson Security researchers decided to release two exploits on Dec. 25 for the "find_friends" issue and a separate issue, because according to them, the company failed to fix the problems during the past four months.

The first exploit is a Python script that can iterate through a given set of phone numbers and return Snapchat account and display names associated with any of those numbers.

"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers)," the researchers said. "We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ -- we did the Z's -- in approximately 7 minutes on a gigabyte line on a virtual server."

The researchers estimate that an attacker could test at least 5,000 numbers per minute.

"In an entire month, you could crunch through as many as 292 million numbers with a single server," they said. "Add more servers (or otherwise increase your number crunching capabilities) and you can get through a seemingly infinite amount of numbers. It's unlikely Snapchat's end would ever be the bottleneck in this, seeing as it's run on Google App Engine, which (as we all know) is an absolute tank when it comes to handling load."

"Hopping through the particularly 'rich' area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes," the researchers said.

The "find_friends" feature is normally used by the Snapchat apps to help users find their friends by checking if any phone numbers in the their address books match Snapchat accounts. According to the Gibson Security researchers, the solution to prevent this feature from being abused is to enforce rate limiting for API queries.

A second issue identified by the Gibson Security researchers stems from Snapchat's lax registration requirements, which could allow attackers to register new accounts in bulk through the API. A separate script that can automate this process has been released as well.

Snapchat did not immediately respond to a request for comment.

Join the newsletter!

Error: Please check your email address.
Show Comments

Blog Posts

Innovations in retail will bring creative and technology closer than ever

While approaching a customer in a shop and asking what you can help them with is Retail 101, how many of us actually enjoy being approached? Generally, you have to give the forced, fake smile and say, “Just browsing, thanks,” while screaming on the inside, “just leave me alone!” Maybe it’s just me?

Jason Dooris

CEO and founder, Atomic 212

There’s a brand in my digital soup

Not a day passes by in the life of business executives where digital innovation or the prospect of disruption is not front of mind. This in turn, drives an unrelenting flow of questioning, discussion and strategy papers.

Jean-Luc Ambrosi

Author, marketer

Can marketers trust agencies again?

Unless you’ve been marketing under a rock, you’ll probably have questioned whether your media agencies are offering you transparency.

Nic Halley

Founder and managing director, Mindbox

Minor correct Nadia, just wanted to clarify that the "Marketo consultants" that did this work, were actually Hoosh consultants

Fab Capodicasa

What it's taking for Edible Blooms to grow a stronger personalisation strategy

Read more

Im not surprise though, been in the industry for couple of years and I feel and see it with my tow eyes how eCommerce platforms innovated...

Jason Smith

Australia Post earmarks $20m for Australian ecommerce innovation investment

Read more

For marketers that are "going Agile" I recommend using Ravetree. It's a really powerful suite of tools for Agile project management, reso...

Janice Morgan

7 ways to run your marketing department like a software startup

Read more

Over the years very part of our lives has become technological. That’s why I am not surprised to see that Australian home loans are going...

GreatDayTo

Why Aussie Home Loans is embracing digital transformation

Read more

Please be alerted eHarmony is a 17+ years old obsolete site. eHarmony is only supported by a big marketing budget and not by serious scie...

FernandoArdenghi

CMO interview: eHarmony CMO reveals what it takes to foster great team relationships

Read more

Latest Podcast

More podcasts

Sign in