Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Users' Phone Numbers Exposed To Hackers

Posted by timothy on from the take-a-memo-it'll-last-longer dept.

beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.

43 of 69 comments (clear)

  1. Re:Why in God's name... by mstra · · Score: 4, Informative

    Not defending it, but the way Snapchat works is that you find your "friends" based on their phone number. Not amazingly brilliant, but that's why.

    --
    Photography, technology, and my dog Scout - http://mattstratton.com
  2. Dumb people by DogDude · · Score: 2, Insightful

    People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

    --
    I don't respond to AC's.
    1. Re:Dumb people by blue+trane · · Score: 1

      Yes, security through obscurity is the best way.

    2. Re:Dumb people by DogDude · · Score: 1

      It works well for telephone numbers.

      --
      I don't respond to AC's.
    3. Re:Dumb people by Anonymous Coward · · Score: 1

      You sure?

    4. Re:Dumb people by vlueboy · · Score: 2

      People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

      You really think it's their fault? Common sense has never been too strong when compared to status quo and people follow by lead. Thankfully, that helped us win some battles, in the past. After all, people now know about firefox and Ubuntu without being geeks themselves. Because they followed a geek trend that eventually became mainstream.

      But trends are exactly what all big and small companies are following now. You can't sign up to Yahoo, Hotmail or Gmail without being asked for a cellphone number. Since that is so normal, Facebook, Whatsapp and probably many others I haven't been asked to help with, are already making it a norm. My mother is mad that her FB App autofills her number on the login screen.

      Since it has become the norm to be asked, people sooner or later give in. Or didn't most of us realize that RealName started out just like this, and yet few non-geeks ever obfuscate it on their Facebook and G+ profiles?
      Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

      Funny thought: Phone numbers are nothing --they're in the phonebook after all...
      a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

    5. Re:Dumb people by vlueboy · · Score: 1

      Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

      Funny thought: Phone numbers are nothing --they're in the phonebook after all...
      a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

      Replying to myself:
      We need to coin a new Godwin's type of law
      How quickly can we bring up NSA-like involvement in some random online thread?
      I dub thee "Snowden's Law"

    6. Re:Dumb people by aaronb1138 · · Score: 1

      Arguably, the NSA has hurt 5-7 orders of magnitude fewer innocents than Hitler.

      I would even venture to say that like proposed large scale E85 adoption in L.A., Snowden has likely caused more unwarranted innocent deaths (via stress; i.e. heart attacks and blood pressure, arguments, fear, paranoia) than the NSA has previously per any equal time period.

      Peeping toms (in the traditional sense) don't result in another person feeling genuinely raped. The Snowden/NSA is just public voyeurism about institutional voyeurism. One big circle jerk of the ignorant, where everyone gets off, but they all feel let down because that was the only way they could get off when they rather have a partner.

    7. Re:Dumb people by PlusFiveTroll · · Score: 1

      I would venture to say that you cannot make any assumption from hidden information. The NSA holds almost all the information on what they have done and who they have given information to. You, on the other hand, don't know jack shit about what the NSA does, well other then monitoring most of the worlds communications. Therefore you are jerking it just as hard as everyone else in the circle.

    8. Re:Dumb people by mwvdlee · · Score: 1

      Just like you giving out your email address to subscribe to Slashdot (which does not make you a customer), make you deserving of spam?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. 867-5309 by Joe_Dragon · · Score: 1

    just dial any area code.

    1. Re:867-5309 by istartedi · · Score: 1

      I don't want to think too much about how many people on Slashdot will not get that reference.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
    2. Re:867-5309 by EETech1 · · Score: 1

      Jenny!!!

      Is that you?

    3. Re:867-5309 by gmhowell · · Score: 1

      Sorry, you've got a wrong number; this is Stacy's Mom.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
  4. "due to an unresolved security vulnerability" by rmdingler · · Score: 1
    Sure. In exactly the same fashion as unintended casualties are collateral damage.

    This is verbiage of the initial Target press release. It sounds like my government talking to me.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:"due to an unresolved security vulnerability" by Nyder · · Score: 1

      Sure. In exactly the same fashion as unintended casualties are collateral damage.

      This is verbiage of the initial Target press release. It sounds like my government talking to me.

      They probably hired the same PR firm.

      --
      Be seeing you...
    2. Re:"due to an unresolved security vulnerability" by rmdingler · · Score: 1
      Probably, unless they are now fungible....

      I love that term. Previously, I described the identical phenomenon with "Six of one or half a dozen".

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  5. Re:Why in God's name... by Anonymous Coward · · Score: 3, Interesting

    Especially when they basically have lied about the photos being deleted.

  6. Snapchat is right by murdocj · · Score: 1, Insightful

    This is a non-issue.
    Guess what, there are these big books that list names and the associated phone numbers.

    1. Re:Snapchat is right by Anonymous Coward · · Score: 1

      What is a non-issue? That their claims of protecting your phone number isn't actually true? That seems to only be a "non-issue" if you're on their payroll.

    2. Re:Snapchat is right by murdocj · · Score: 1

      You mean that you can use the snapchat feature to see if a particular phone number is associated with a snapchat user? It's not like someone is hacking into their database and extracting a list of users. The "hack" is doing an upload of every possible phone number and seeing if there are any hits.

    3. Re:Snapchat is right by Anonymous Coward · · Score: 1

      Those books, do they also contain pink pictures of the persons behind the numbers? Where can I get them?

    4. Re:Snapchat is right by murdocj · · Score: 1

      There are these things called facebook and google that pretty much can get you anything that anyone has stored on the system of tubes.

    5. Re:Snapchat is right by Kalriath · · Score: 1

      ... in the same way as reading the entire phone book to see which numbers belong to people is a "vulnerability" in the telco industry.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  7. It's OK by bigdavex · · Score: 3, Funny

    But the phone numbers disappear after 10 seconds, right?

    --
    -Dave
  8. Re:Snapchat... Yeah... by Frosty+Piss · · Score: 2, Funny

    THANK GOODNESS.

    I was on edge all day today, wondering whether this concerned you.

    Now that I have my answer, I can reset easy tonight.

    You're welcome! I try! Sorry to stress you out, if only I had your phone number, I could keep you more up to date.

    --
    If you want news from today, you have to come back tomorrow.
  9. Hmmm by wbr1 · · Score: 1

    Snapchat downplays the significance of the hole.

    Isn't that their entire business model? Encourage more people to show of their naughty bits, therefore "downplaying the significance of the hole."

    --
    Silence is a state of mime.
  10. Public service announcement by WOOFYGOOFY · · Score: 2

    For some of the younger readers: snapchat can't actually guarantee that your photo is deleted, so don't send anything you don't want all over the web, as ever.

    For instance, anyone you send your photo to could screen capture your photo before it disappears, then pass that screen capture around.

    Someone could also be between you and your recipient and be capturing everything you send.

    Just so you know.

    1. Re:Public service announcement by CodeBuster · · Score: 1

      In fairness even many non-technical adults get this wrong. Because they don't understand how technology actually works they fail to understand that "privacy controls" don't actually control anything. This is true because the data, whether "deleted" or not, continues to exist in the company's databases which are likely copied and backed up in many places. As the parent said, if you gave it to them once they have it forever. It should also be remembered that when a company is bought or sold, the new owners might decide to sell the data or use it for affiliate marketing or for other purposes. Your data is their coin and once they have it they never give it back.

  11. Fake it by pubwvj · · Score: 4, Insightful

    This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.

    Obstificate.

    1. Re:Fake it by qubezz · · Score: 1

      This is why snapchat was worth $3B to Yahoo, you install it on your phone, where it can vacuum up your real contacts and other data from your phone and send it along to the server. If you don't put in your real name, someone else has.

    2. Re:Fake it by pubwvj · · Score: 1

      You are probably right so let's enjoy our right to lie while we can. Let lying dogs sleep. :)

  12. "exposed to HACKERS"" by Anonymous Coward · · Score: 1

    But ONLY to "hackers", because they're like extraspecial and shit.

  13. Phone Numbers are not private by Hey_Jude_Jesus · · Score: 1

    We give them out to friends, family, retailers, employers and for thousand of other reasons. The same goes for an email address.

  14. Don't need 75000 queries to identif 75000 accounts by fatphil · · Score: 1

    Maybe only 17 queries are required. So even if they did to some kind of rate-limitting to prevent mass sucks of account names, they'd not stop the leak.

    Number all the names you're interested in binary. If you have 75000 names, then the binary numbers will be 17 bits long. In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit. Store all the results. In the second query, do a lookup on all the 32768 contacts which have a set 15th bit, again, store those. In the third query, do a lookup on all the (16384+16384) contacts which have a set 14th bit, again store. After 17 queries, each contact will be returned in exactly the sets which correspond to the bits that are set in its binary number, but not the others. I.e. it will be uniquely identifiable.

    Of course, the fix for the problem is for the doofera at snapchat to simply not return account names in the query, and this 4000x speedup will stop working as quickly as the original. However, anyone who's done a huge suck prior to that could leak it out, so it must be considered that your account name is known to everyone. Expect more targetted adverspamming...

    --
    Also FatPhil on SoylentNews, id 863
  15. Re:Why in God's name... by Warhawke · · Score: 1

    They are deleted the same way that any normal OS deletes a photo -- removing the reference information from the drive header, thus marking the bits the data occupies as safe for rewriting. Until the bits are written over, the file remains intact. There's nothing at all disingenuous about stating the photos are deleted. Perhaps they aren't subject to a null-0 or random data string erasure, but the file is still, by all general computing definitions, deleted. Or do you think that pressing the delete key makes the file on your computer also disappear forever?

  16. Snapchat users private parts exposed to hackers by JamieIanMacgregor · · Score: 1

    who gives a crap about their phone numbers when their genitals are on display for the world to see.

  17. Re:Article is Baloney by Kalriath · · Score: 1

    The exploit according to Gibson is that Snapchat doesn't rate limit calls to "find_friends" to prevent massive automated brute force queries to get user details. In all fairness, considering the massive processing power behind Snapchat and the fact that your server is more likely to deplete its available resources before theirs (they're on Google App Engine apparently), there really should be rate limiting, even 1 request per second would make automated hammering non-viable.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  18. Re:Why in God's name... by mwvdlee · · Score: 1

    Except they're not deleted like in a filesystem either.

    According to GP's link, they merely get a ".nomedia" suffix, which stops Android from recognizing it. The file is still there, it takes up diskspace, is not going to be overwritten, they can be handled as normal files and renaming the files to remove the suffix restores it completely.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  19. Re:Snapchat, phone numbers?! by masterofthumbs · · Score: 1

    Considering the application runs on your phone, it pulls the number from the phone automatically. You also need to log into the application using a username and password so the phone number isn't used for anything really affecting your login. The phone number is used to help anyone that has your phone number in their contacts to find you on snapchat. Unless you make your snapchat username the same as your real name, there is nothing tying some random collection of letters to your phone number other than this DB.

    Also, the previous exploit only worked if you knew a valid phone number that also happened to be a snapchat user.

  20. Re:Why in God's name... by Warhawke · · Score: 1
    That may have been true several versions ago, but it isn't true now. Just tried a forensic analysis on my rooted device and it did not recover any .nomedia files (other than ones I had placed in there for other programs). Yes, the data still remains on the drive, but it functions the exact same way as deleting a file using a file manager. The reason forensic analysis is able to recover the data is not because it is readily accessible on the drive but because the actual file information persists on the disk. From the third-to-last paragraph of the article:

    The reality is that it is notoriously difficult to remove data from mobile devices simply because of the way data is stored using the 'wear levelling' technique. Since mobile devices are so regularly recycled for newer versions, this means that Snapchat photos that users believe no longer exist may be passed on to unknown third parties, and could be retrieved with forensic software.

  21. Re:Don't need 75000 queries to identif 75000 accou by wonkey_monkey · · Score: 1

    I'm entirely nonplussed by your post.

    Don't need 75000 queries to identif 75000 accounts

    What do you mean by "identify"?

    Number all the names you're interested in binary.

    Snapchat usernames? Or names of humans you suspect of having a snapchat account?

    In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit.

    What kind of lookup are you talking about?

    --
    systemd is Roko's Basilisk.
  22. Re:Don't need 75000 queries to identif 75000 accou by wonkey_monkey · · Score: 1

    Okay, after finding this (who the hell presents a security disclosure as a single PNG?!) I'll have another stab at what you're suggesting.

    Suppose you have 75,000 phone numbers you want to try to link to snapchat accounts. Snapchat allows (or allowed) you to specify at least up to this amount of numbers in a single query - the only trouble is, it won't tell you which of the many results you receive is associated with which of the numbers you sent in the query.

    By doing ~17 queries on subsets of the 75,000 numbers, you can associate the numbers with their snapchat accounts.

    But couldn't you just send 75,000 single-number queries and get the associated accounts directly? That might be more queries but it would be a lot less data going back and forth.

    --
    systemd is Roko's Basilisk.