Snapchat API exploit results in 4.6M usernames and phone numbers exposed

Snapchat users are mistaken if they think that the messaging platform is inherently more secure than others. While it’s gained millions of users over the last year due to the way it permanently deletes messages and photos after a period of ten seconds or less, that doesn’t mean its servers can’t give up confidential details of Snapchat’s users.

And that’s exactly what appears to have happened today, only a week after an Australian security firm published details of a glaring security weakness in Snapchat’s API. Now, it seems that someone has taken advantage of that exploit, collecting over 4.6 million usernames and phone numbers, publishing them on a website called Snapchat.db.

Snapchat users can relax for now, as the phone numbers have been published with their last two digits obscured, but that doesn’t mean the hackers won’t do so in future. The data is believed to be legitimate however, with The Next Web reporting that it’s accessed a web-based Snapchat checker script that allows people to check any user name and see if it appears in the databases.

Snapchat.db appears to have been taken offline at the time of writing, but when it was live it allowed anyone to download the 4.6 million user records as a CSV text file or SQL dump.

“For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse,” read a notice on the site. “Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”

The site also allowed people to send donations to the hackers via Bitcoin, and even send them a direct message.

Sample of database published on Snapchat.db

It’s likely that Snapchat.db was created to shame Snapchat’s creators into action, after it ignored the flaws identified by white-hat security researchers Gibson Security and published in ZDNet. According to that article, it’s likely that the hackers took advantage of a gaping security hole within Snapchat’s API that allowed them to match names with phone numbers and create dozens of fake accounts. Gibson Security told ZDNet that the exploit could be used to build profiles of Snapchat’s users, which could then be sold to cybercriminals. It further stated that Snapchat had known about the exploit for at least four months, and claimed that it could have been fixed with “ten lines of code” had they wanted to.

What isn’t clear is why Snapchat chose to ignore the exploit. Anthony Wing Kosner in Forbes speculates that it may have done so as a way of putting off older people (i.e. parents) from using the service, because this demographic generally cares more about data security. That older people don’t use Snapchat is one of the primary reasons it’s so popular with teenagers, and the reason why millions of them are choosing it over Facebook and others. That might be a smart move from a business sense, but from a moral perspective it’s totally wrong, given that a huge share of Snapchat users are underage kids.

Snapchat was undoubtedly one of the hottest apps to emerge in 2013, but unless it takes a long, hard look at its security measures, 2014 could be the year where it falls flat on its face.

About Mike Wheatley

Mike loves to talk about Big Data, the Internet of Things, Hacktivists and hacking, but he also hates Google and can never resist having a quick dig at them should the opportunity arise :) Got a REAL news story or tip? Email Mike@SiliconANGLE.com.