Attackers could match phone numbers to Snapchat accounts, researchers say

A legitimate feature for finding friends on Snapchat lacks rate limiting and can be abused, a security research group claims

A security hole in popular photo messaging service Snapchat could allow attackers to find the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.

The researchers published proof-of-concept code that abuses a legitimate feature of the Snapchat API (application programming interface) called "find_friends" to iterate through a large number of phone numbers and match them to Snapchat accounts.

Gibson Security first revealed this vulnerability in August, along with some other issues it found after reverse engineering the Snapchat API, the protocol used by Snapchat clients for Android and iOS to communicate with the company's servers.

Snapchat is a popular messaging application that also allows users to share photos, videos and drawings. It's best known for its photo self-destruct feature, where senders can specify a time period of a few seconds after which a picture viewed by the recipient is automatically deleted.

The Gibson Security researchers decided to release two exploits on Dec. 25 for the "find_friends" issue and a separate issue, because according to them, the company failed to fix the problems during the past four months.

The first exploit is a Python script that can iterate through a given set of phone numbers and return Snapchat account and display names associated with any of those numbers.

"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers)," the researchers said. "We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ -- we did the Z's -- in approximately 7 minutes on a gigabyte line on a virtual server."

The researchers estimate that an attacker could test at least 5,000 numbers per minute.

"In an entire month, you could crunch through as many as 292 million numbers with a single server," they said. "Add more servers (or otherwise increase your number crunching capabilities) and you can get through a seemingly infinite amount of numbers. It's unlikely Snapchat's end would ever be the bottleneck in this, seeing as it's run on Google App Engine, which (as we all know) is an absolute tank when it comes to handling load."

"Hopping through the particularly 'rich' area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes," the researchers said.

The "find_friends" feature is normally used by the Snapchat apps to help users find their friends by checking if any phone numbers in the their address books match Snapchat accounts. According to the Gibson Security researchers, the solution to prevent this feature from being abused is to enforce rate limiting for API queries.

A second issue identified by the Gibson Security researchers stems from Snapchat's lax registration requirements, which could allow attackers to register new accounts in bulk through the API. A separate script that can automate this process has been released as well.

Snapchat did not immediately respond to a request for comment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

fdgfd www.google.com

Caroline Natalia

How WW shifted physical engagement to virtual success in 5 days

Read more

I found decent information in your article. I am impressed with how nicely you described this subject, It is a gainful article for us. Th...

Daniel Hughes

What 1800 Flowers is doing to create a consistent customer communications experience

Read more

Extremely informative. One should definitely go through the blog in order to know different aspects of the Retail Business and retail Tec...

Sheetal Kamble

SAP retail chief: Why more retailers need to harness data differently

Read more

It's actually a nice and helpful piece of info. I am satisfied that you shared this helpful information with us. Please stay us informed ...

FIO Homes

How a brand facelift and content strategy turned real estate software, Rockend, around

Read more

I find this very strange. The Coles store i shop in still has Flouro lights? T though this would have been the 1st thing they would have ...

Brad

Coles launches new sustainability initiative

Read more

Blog Posts

9 lessons from 7 months of relentless failure

The most innovative organisations embrace failure. Why? Because it is often through failing the most creative out-of-box thinking happens. And with it comes vital learning opportunities that bring new knowledge and experience into teams.

Jacki James

Digital product lead, Starlight Children's Foundation

Why conflict can be good for your brand

Conflict is essentially a clash. When between two people, it’s just about always a clash of views or opinions. And when it comes to this type of conflict, more than the misaligned views themselves, what we typically hate the most is our physiological response.

Kathy Benson

Chief client officer, Ipsos

Brand storytelling lessons from Singapore’s iconic Fullerton hotel

In early 2020, I had the pleasure of staying at the newly opened Fullerton Hotel in Sydney. It was on this trip I first became aware of the Fullerton’s commitment to brand storytelling.

Gabrielle Dolan

Business storytelling leader

Sign in