Snapchat Users' Phone Numbers Exposed To Hackers

← Back to Stories (view on slashdot.org)

Snapchat Users' Phone Numbers Exposed To Hackers

Posted by timothy on Saturday December 28, 2013 @12:05PM from the take-a-memo-it'll-last-longer dept.

beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.

69 comments

Min score:

Reason:

Sort:

Why in God's name... by Anonymous Coward · 2013-12-28 12:09 · Score: 0

... would anyone give their real phone number to anyone who doesn't need it? I don't argue when a merchant asks for my phone number -- I just give them what they want. So any marketers who call me get to peddle their wares to whoever answers the pay phone at the Chevron station at the corner of Who-the-hell-knows St. and Nowhere-in-particular Ave., Seattle, Washington.
1. Re:Why in God's name... by mstra · 2013-12-28 12:11 · Score: 4, Informative
  
  Not defending it, but the way Snapchat works is that you find your "friends" based on their phone number. Not amazingly brilliant, but that's why.
  
  --
  Photography, technology, and my dog Scout - http://mattstratton.com
2. Re:Why in God's name... by Anonymous Coward · 2013-12-28 12:39 · Score: 3, Interesting
  
  Especially when they basically have lied about the photos being deleted.
3. Re:Why in God's name... by Anonymous Coward · 2013-12-28 12:51 · Score: 0
  
  You still have pay phones in the Seattle area? Darn, I didn't think there were any of those left in areas with cell reception. There is an area near Lassen Volcanic National Park in CA that has no reception where I see a pay phone or two, But in a metropolitan area? Wow, how 1980s...
4. Re:Why in God's name... by Anonymous Coward · 2013-12-29 07:29 · Score: 0
  
  Because most of the people who use it are idiot children.
5. Re:Why in God's name... by Warhawke · 2013-12-29 11:56 · Score: 1
  
  They are deleted the same way that any normal OS deletes a photo -- removing the reference information from the drive header, thus marking the bits the data occupies as safe for rewriting. Until the bits are written over, the file remains intact. There's nothing at all disingenuous about stating the photos are deleted. Perhaps they aren't subject to a null-0 or random data string erasure, but the file is still, by all general computing definitions, deleted. Or do you think that pressing the delete key makes the file on your computer also disappear forever?
6. Re:Why in God's name... by mwvdlee · 2014-01-01 03:27 · Score: 1
  
  Except they're not deleted like in a filesystem either.
  According to GP's link, they merely get a ".nomedia" suffix, which stops Android from recognizing it. The file is still there, it takes up diskspace, is not going to be overwritten, they can be handled as normal files and renaming the files to remove the suffix restores it completely.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
7. Re:Why in God's name... by Warhawke · 2014-01-01 10:44 · Score: 1
  
  That may have been true several versions ago, but it isn't true now. Just tried a forensic analysis on my rooted device and it did not recover any .nomedia files (other than ones I had placed in there for other programs). Yes, the data still remains on the drive, but it functions the exact same way as deleting a file using a file manager. The reason forensic analysis is able to recover the data is not because it is readily accessible on the drive but because the actual file information persists on the disk. From the third-to-last paragraph of the article:
  
  The reality is that it is notoriously difficult to remove data from mobile devices simply because of the way data is stored using the 'wear levelling' technique. Since mobile devices are so regularly recycled for newer versions, this means that Snapchat photos that users believe no longer exist may be passed on to unknown third parties, and could be retrieved with forensic software.
LOL by Anonymous Coward · 2013-12-28 12:10 · Score: 0

But they're going to keep your info safe from the NSA!!! LOLOLOLOLOL!!!
Stupid fucking hipsters and brogrammers.
Assume every service is compromised by Anonymous Coward · 2013-12-28 12:11 · Score: 0

What do you do next, hotshot?
1. Re:Assume every service is compromised by Anonymous Coward · 2013-12-28 12:29 · Score: 0
  
  Shoot the hostage.
  
  Then Snapchat a pic of the corpse.
2. Re: Assume every service is compromised by Anonymous Coward · 2013-12-28 13:54 · Score: 0
  
  Write it myself.
Dumb people by DogDude · 2013-12-28 12:16 · Score: 2, Insightful

People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

--
I don't respond to AC's.
1. Re:Dumb people by blue+trane · 2013-12-28 12:51 · Score: 1
  
  Yes, security through obscurity is the best way.
2. Re:Dumb people by DogDude · 2013-12-28 12:53 · Score: 1
  
  It works well for telephone numbers.
  
  --
  I don't respond to AC's.
3. Re:Dumb people by Anonymous Coward · 2013-12-28 12:54 · Score: 0
  
  A lot of similar apps don't explicitly state the fact they're using your phone number. Some might mention it's used in order to contact your friends, but your average user might not connect the dots. They might not be tech geniuses, but they're not purposely just handing out their numbers either.
4. Re:Dumb people by Anonymous Coward · 2013-12-28 14:05 · Score: 1
  
  You sure?
5. Re:Dumb people by vlueboy · 2013-12-28 14:32 · Score: 2
  
  People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.
  You really think it's their fault? Common sense has never been too strong when compared to status quo and people follow by lead. Thankfully, that helped us win some battles, in the past. After all, people now know about firefox and Ubuntu without being geeks themselves. Because they followed a geek trend that eventually became mainstream.
  But trends are exactly what all big and small companies are following now. You can't sign up to Yahoo, Hotmail or Gmail without being asked for a cellphone number. Since that is so normal, Facebook, Whatsapp and probably many others I haven't been asked to help with, are already making it a norm. My mother is mad that her FB App autofills her number on the login screen.
  Since it has become the norm to be asked, people sooner or later give in. Or didn't most of us realize that RealName started out just like this, and yet few non-geeks ever obfuscate it on their Facebook and G+ profiles?
  Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.
  Funny thought: Phone numbers are nothing --they're in the phonebook after all...
  a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.
6. Re:Dumb people by vlueboy · 2013-12-28 14:39 · Score: 1
  
  Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.
  Funny thought: Phone numbers are nothing --they're in the phonebook after all...
  a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.
  Replying to myself:
  We need to coin a new Godwin's type of law
  How quickly can we bring up NSA-like involvement in some random online thread?
  I dub thee "Snowden's Law"
7. Re:Dumb people by Anonymous Coward · 2013-12-28 18:44 · Score: 0
  
  Replying to myself: We need to coin a new Godwin's type of law How quickly can we bring up NSA-like involvement in some random online thread? I dub thee "Snowden's Law"
  Except, Hitler is dead. The NSA lives.
8. Re:Dumb people by aaronb1138 · 2013-12-28 23:24 · Score: 1
  
  Arguably, the NSA has hurt 5-7 orders of magnitude fewer innocents than Hitler.
  
  I would even venture to say that like proposed large scale E85 adoption in L.A., Snowden has likely caused more unwarranted innocent deaths (via stress; i.e. heart attacks and blood pressure, arguments, fear, paranoia) than the NSA has previously per any equal time period.
  
  Peeping toms (in the traditional sense) don't result in another person feeling genuinely raped. The Snowden/NSA is just public voyeurism about institutional voyeurism. One big circle jerk of the ignorant, where everyone gets off, but they all feel let down because that was the only way they could get off when they rather have a partner.
9. Re:Dumb people by PlusFiveTroll · 2013-12-29 04:45 · Score: 1
  
  I would venture to say that you cannot make any assumption from hidden information. The NSA holds almost all the information on what they have done and who they have given information to. You, on the other hand, don't know jack shit about what the NSA does, well other then monitoring most of the worlds communications. Therefore you are jerking it just as hard as everyone else in the circle.
10. Re:Dumb people by mwvdlee · 2014-01-01 03:29 · Score: 1
  
  Just like you giving out your email address to subscribe to Slashdot (which does not make you a customer), make you deserving of spam?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Snapchat... Yeah... by Frosty+Piss · 2013-12-28 12:27 · Score: 0

OK, doesn't concern me.

--
If you want news from today, you have to come back tomorrow.
1. Re:Snapchat... Yeah... by Anonymous Coward · 2013-12-28 13:39 · Score: 0
  
  THANK GOODNESS.
  I was on edge all day today, wondering whether this concerned you.
  Now that I have my answer, I can reset easy tonight.
2. Re:Snapchat... Yeah... by Frosty+Piss · 2013-12-28 14:01 · Score: 2, Funny
  
  THANK GOODNESS.
  I was on edge all day today, wondering whether this concerned you.
  Now that I have my answer, I can reset easy tonight.
  You're welcome! I try! Sorry to stress you out, if only I had your phone number, I could keep you more up to date.
  
  --
  If you want news from today, you have to come back tomorrow.
3. Re:Snapchat... Yeah... by game+kid · 2013-12-28 14:52 · Score: 0
  
  Just make sure to save all documents and flush all cache to your disks before resetting.
  
  --
  You can hold down the "B" button for continuous firing.
867-5309 by Joe_Dragon · 2013-12-28 12:30 · Score: 1

just dial any area code.
1. Re:867-5309 by istartedi · 2013-12-28 14:30 · Score: 1
  
  I don't want to think too much about how many people on Slashdot will not get that reference.
  
  --
  For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
2. Re:867-5309 by Anonymous Coward · 2013-12-28 14:44 · Score: 0
  
  Funny thing is Tommy Two Tone is now a computer programmer. He may even read /. now!
3. Re:867-5309 by EETech1 · 2013-12-28 14:49 · Score: 1
  
  Jenny!!!
  Is that you?
4. Re:867-5309 by gmhowell · 2013-12-29 21:42 · Score: 1
  
  Sorry, you've got a wrong number; this is Stacy's Mom.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
"due to an unresolved security vulnerability" by rmdingler · 2013-12-28 12:32 · Score: 1

Sure. In exactly the same fashion as unintended casualties are collateral damage.
This is verbiage of the initial Target press release. It sounds like my government talking to me.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
1. Re:"due to an unresolved security vulnerability" by Nyder · 2013-12-28 12:33 · Score: 1
  
  Sure. In exactly the same fashion as unintended casualties are collateral damage.
  This is verbiage of the initial Target press release. It sounds like my government talking to me.
  They probably hired the same PR firm.
  
  --
  Be seeing you...
2. Re:"due to an unresolved security vulnerability" by rmdingler · 2013-12-28 13:21 · Score: 1
  
  Probably, unless they are now fungible....
  I love that term. Previously, I described the identical phenomenon with "Six of one or half a dozen".
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
Snapchat is right by murdocj · 2013-12-28 12:42 · Score: 1, Insightful

This is a non-issue.
Guess what, there are these big books that list names and the associated phone numbers.
1. Re:Snapchat is right by Anonymous Coward · 2013-12-28 12:46 · Score: 1
  
  What is a non-issue? That their claims of protecting your phone number isn't actually true? That seems to only be a "non-issue" if you're on their payroll.
2. Re:Snapchat is right by murdocj · 2013-12-28 12:50 · Score: 1
  
  You mean that you can use the snapchat feature to see if a particular phone number is associated with a snapchat user? It's not like someone is hacking into their database and extracting a list of users. The "hack" is doing an upload of every possible phone number and seeing if there are any hits.
3. Re:Snapchat is right by Anonymous Coward · 2013-12-28 13:03 · Score: 1
  
  Those books, do they also contain pink pictures of the persons behind the numbers? Where can I get them?
4. Re:Snapchat is right by murdocj · 2013-12-28 13:10 · Score: 1
  
  There are these things called facebook and google that pretty much can get you anything that anyone has stored on the system of tubes.
5. Re:Snapchat is right by Anonymous Coward · 2013-12-28 13:15 · Score: 0
  
  Yes, the things that people have publicly decided to share. Not things that they are told are not being shared with the public at large.
6. Re:Snapchat is right by Anonymous Coward · 2013-12-28 13:45 · Score: 0
  
  Heard of them. Would never store anything there. Have never input any information into any of them.
7. Re:Snapchat is right by Kalriath · 2013-12-30 08:35 · Score: 1
  
  ... in the same way as reading the entire phone book to see which numbers belong to people is a "vulnerability" in the telco industry.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Snapchat, phone numbers?! by Anonymous Coward · 2013-12-28 13:01 · Score: 0

Who the fuck would put their real phone number in to some random application like Snapchat?
Seriously... Dumb much?
It's funny to watch the "normals" go through the idiocy we geeks saw 30 years ago.
1. Re:Snapchat, phone numbers?! by masterofthumbs · 2014-01-01 04:47 · Score: 1
  
  Considering the application runs on your phone, it pulls the number from the phone automatically. You also need to log into the application using a username and password so the phone number isn't used for anything really affecting your login. The phone number is used to help anyone that has your phone number in their contacts to find you on snapchat. Unless you make your snapchat username the same as your real name, there is nothing tying some random collection of letters to your phone number other than this DB.
  Also, the previous exploit only worked if you knew a valid phone number that also happened to be a snapchat user.
It's OK by bigdavex · 2013-12-28 13:14 · Score: 3, Funny

But the phone numbers disappear after 10 seconds, right?

--
-Dave
Re:The Prison Niggers by Anonymous Coward · 2013-12-28 13:23 · Score: 0

How do you know that the parent isn't into big fat black hose up the ass?
Hmmm by wbr1 · 2013-12-28 14:02 · Score: 1

Snapchat downplays the significance of the hole.
Isn't that their entire business model? Encourage more people to show of their naughty bits, therefore "downplaying the significance of the hole."

--
Silence is a state of mime.
This is my shocked face by gelfling · 2013-12-28 14:15 · Score: 0

I am shocked, shocked I tell you.
Public service announcement by WOOFYGOOFY · 2013-12-28 14:31 · Score: 2

For some of the younger readers: snapchat can't actually guarantee that your photo is deleted, so don't send anything you don't want all over the web, as ever.
For instance, anyone you send your photo to could screen capture your photo before it disappears, then pass that screen capture around.
Someone could also be between you and your recipient and be capturing everything you send.
Just so you know.
1. Re:Public service announcement by CodeBuster · 2013-12-29 17:00 · Score: 1
  
  In fairness even many non-technical adults get this wrong. Because they don't understand how technology actually works they fail to understand that "privacy controls" don't actually control anything. This is true because the data, whether "deleted" or not, continues to exist in the company's databases which are likely copied and backed up in many places. As the parent said, if you gave it to them once they have it forever. It should also be remembered that when a company is bought or sold, the new owners might decide to sell the data or use it for affiliate marketing or for other purposes. Your data is their coin and once they have it they never give it back.
Article is Baloney by retroworks · 2013-12-28 14:40 · Score: 0

This "Gibson" firm got their name in the papers, for what? Because a hacker "may" be able to see phone numbers with a username attached. So what? Where I live they still print peoples names and phone numbers in the phone book, which is available at the public library. What exactly bad is going to happen when someone decides to hack Snapchat to obtain those phone numbers?

--
Gently reply
1. Re:Article is Baloney by Kalriath · 2013-12-30 08:38 · Score: 1
  
  The exploit according to Gibson is that Snapchat doesn't rate limit calls to "find_friends" to prevent massive automated brute force queries to get user details. In all fairness, considering the massive processing power behind Snapchat and the fact that your server is more likely to deplete its available resources before theirs (they're on Google App Engine apparently), there really should be rate limiting, even 1 request per second would make automated hammering non-viable.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Fake it by pubwvj · 2013-12-28 14:49 · Score: 4, Insightful

This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.
Obstificate.
1. Re:Fake it by Anonymous Coward · 2013-12-28 19:18 · Score: 0
  
  This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.
  Obstificate.
  Enjoy that while you can. I wouldn't be surprised with the attack on anonymity these days if actions like this aren't eventually deemed criminal.
  (FYI, I 110% agree with you, and have used these tactics myself)
2. Re:Fake it by qubezz · 2013-12-28 22:18 · Score: 1
  
  This is why snapchat was worth $3B to Yahoo, you install it on your phone, where it can vacuum up your real contacts and other data from your phone and send it along to the server. If you don't put in your real name, someone else has.
3. Re:Fake it by pubwvj · 2013-12-29 05:58 · Score: 1
  
  You are probably right so let's enjoy our right to lie while we can. Let lying dogs sleep. :)
Fret Not Possums by Anonymous Coward · 2013-12-28 18:19 · Score: 0

Thanks to the "Judge" its all legal and protected by US laws.
How sweet.
"exposed to HACKERS"" by Anonymous Coward · 2013-12-28 19:43 · Score: 1

But ONLY to "hackers", because they're like extraspecial and shit.
Phone Numbers are not private by Hey_Jude_Jesus · 2013-12-28 21:52 · Score: 1

We give them out to friends, family, retailers, employers and for thousand of other reasons. The same goes for an email address.
The Trailer Trash Crackers. Ain't Trolling Fun? by Anonymous Coward · 2013-12-29 01:02 · Score: 0

Beware,African American male. The Trailer Trash Crackers' elite hacking team can see the pictures you took of your clean, tight little black butthole -- and when that happens, they will destroy that cute little black butthole.
The Trailer Trash Crackers are the biggest and meanest prison gang in all parts of the US, mainly the deep south. I knew a scrawny, African American boy who took a lot of Snapchat pictures of his anus because he happened to have a girlfriend who had a fetish for the anuses of straight and dorky African American men.
And whoa, boy, once the Trailer Trash Crackers hacked that guy's Snapchat, it was like catnip to them. Not only did they want more, but they must have more, so they used their freedmen contacts on the outside to throw a potato-sack over the hapless little African American man, kidnapping him and gaping his poor lil' ol' rear end to Goatse proportions.
All that happened because a scrawny little white man thought he was smarter than the Prison Niggers, that the Snapchat "hack" was some nagging non-issue within his safe middle-class suburban house. Well, hoss, you got that all wrong now.
Yo momma so fat... by Anonymous Coward · 2013-12-29 01:25 · Score: 0

...Snapchat deleted her photo before it had finished downloading.
Don't need 75000 queries to identif 75000 accounts by fatphil · 2013-12-29 02:03 · Score: 1

Maybe only 17 queries are required. So even if they did to some kind of rate-limitting to prevent mass sucks of account names, they'd not stop the leak.

Number all the names you're interested in binary. If you have 75000 names, then the binary numbers will be 17 bits long. In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit. Store all the results. In the second query, do a lookup on all the 32768 contacts which have a set 15th bit, again, store those. In the third query, do a lookup on all the (16384+16384) contacts which have a set 14th bit, again store. After 17 queries, each contact will be returned in exactly the sets which correspond to the bits that are set in its binary number, but not the others. I.e. it will be uniquely identifiable.

Of course, the fix for the problem is for the doofera at snapchat to simply not return account names in the query, and this 4000x speedup will stop working as quickly as the original. However, anyone who's done a huge suck prior to that could leak it out, so it must be considered that your account name is known to everyone. Expect more targetted adverspamming...

--
Also FatPhil on SoylentNews, id 863
Snapchat users private parts exposed to hackers by JamieIanMacgregor · 2013-12-29 12:00 · Score: 1

who gives a crap about their phone numbers when their genitals are on display for the world to see.
Re:Don't need 75000 queries to identif 75000 accou by wonkey_monkey · 2014-01-04 07:28 · Score: 1

I'm entirely nonplussed by your post.

Don't need 75000 queries to identif 75000 accounts
What do you mean by "identify"?

Number all the names you're interested in binary.
Snapchat usernames? Or names of humans you suspect of having a snapchat account?

In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit.
What kind of lookup are you talking about?

--
systemd is Roko's Basilisk.
Re:Don't need 75000 queries to identif 75000 accou by wonkey_monkey · 2014-01-04 07:43 · Score: 1

Okay, after finding this (who the hell presents a security disclosure as a single PNG?!) I'll have another stab at what you're suggesting.
Suppose you have 75,000 phone numbers you want to try to link to snapchat accounts. Snapchat allows (or allowed) you to specify at least up to this amount of numbers in a single query - the only trouble is, it won't tell you which of the many results you receive is associated with which of the numbers you sent in the query.
By doing ~17 queries on subsets of the 75,000 numbers, you can associate the numbers with their snapchat accounts.
But couldn't you just send 75,000 single-number queries and get the associated accounts directly? That might be more queries but it would be a lot less data going back and forth.

--
systemd is Roko's Basilisk.