Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Update Addresses Security Hole

Posted by timothy on from the you've-got-mail dept.

Snapchat has released an update to address the security problems exposed recently by Gibson Security and subsequently (and quickly) exploited. From the article: "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

36 of 58 comments (clear)

  1. Big lesson by Anonymous Coward · · Score: 5, Informative

    Pity that it took such a brutal action by GRC to change this companies point of view.

    1. Re: Big lesson by Anonymous Coward · · Score: 4, Funny

      They should have taken the $3 billion when they had the chance. These aren't real business people, they're techies who are holding on to a hot property. They need to know when to let the professionals start running things so they can turn it into a viable company.

    2. Re:Big lesson by Anonymous Coward · · Score: 1

      GRC (Gibson Research Corporation) is different from Gibson Security, which seems to be an anonymous group.

    3. Re: Big lesson by DarkOx · · Score: 3, Insightful

      You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re: Big lesson by MrBingoBoingo · · Score: 2

      Well, the big problem here is how his CEOness handled the aftermath. This everything is everyone else's fault mentality he has is going to keep him from ever getting that three billion dollars. I mean when asked if it would kill him to take one iota of responsibility he answered "Yes".

    5. Re:Big lesson by not_a_bot · · Score: 1

      I'm not sure they actually learned anything. If you look at the language "We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service ". It seems clear that they keep the public position that it is the researchers' fault for finding the holes and making Snapchat look like amateurs.

  2. NSA email by Anonymous Coward · · Score: 5, Funny

    To: security@snapchat.com
    From: NSAops@langly.gov

    Subject: Latest Snapchat security update

    We were using that you bastards!

    1. Re:NSA email by Anonymous Coward · · Score: 1
      To: NSAops@langly.gov
      From: security@snapchat.com

      Sorry, had to for PR reasons. Another new version with new deniable hole will be released shortly. Details will be reported as usual.

    2. Re:NSA email by Calydor · · Score: 1

      Isn't it 'Langley'?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    3. Re:NSA email by TheP4st · · Score: 2

      Isn't it 'Langley'?

      As far as I know it's neither. Langley, Virginia is where the CIA HQ are located while NSA have their HQ in Fort Meade, Maryland.

      --
      "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
    4. Re:NSA email by Fnord666 · · Score: 1

      Given what we have seen so far there are probably so many weaknesses in this application that the NSA barely even noticed the loss of this one. Since it didn't give them access to the content it was a minor exploit at best. A more likely response is:

      To: security@snapchat.com
      From: NSAops@nsa.gov

      Subject: Latest Snapchat security update

      Thanks for not really taking this seriously and just saying that you'll pay more attention next time when someone tells you that you have a issue. We were concerned that you might go back and find the really serious exploits we are using to capture all of the content that flows through your system. No worries then.

      Thanks.

      A Concerned NSA Analyst

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  3. Caveat by StikyPad · · Score: 5, Funny

    ...adding that emails sent to that address would be deleted after 10 seconds.

    --
    https://www.eff.org/https-everywhere
    1. Re:Caveat by martin-boundary · · Score: 1

      However, in a statement the company said it listens to customers and announced that all the reported security bugs and suggestions would be fixed and implemented in the next revision of the software - using self modifying code that overwrites itself with random bits after 10 seconds.

    2. Re:Caveat by Anonymous Coward · · Score: 1

      My friend used to be "abuse@microsoft.com", she was the only one who would bother to actually read and answer complaints. It was a thankless job, one that saved Microsoft many thousands if not millions of dollars by revealing some real snakepits before they became embarrassing, and detecting major spam senders early before they could DDOS the core mail servers. But lord, it wasn't pretty.

  4. Still one of the stupidest things of 2013. by Anonymous Coward · · Score: 4, Insightful

    Turning down 3 billion. Just months before a giant security leak that makes gobs of people leave their service...

    Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

    Something tells me they won't be getting another offer in the billions.

    1. Re:Still one of the stupidest things of 2013. by pspahn · · Score: 1

      They said the same thing at the Alamo. Or was it an Isotopes game? Pfft. Either way, the sentiment is the same ... wait, who is Snapchat?

      --
      Someone flopped a steamer in the gene pool.
    2. Re:Still one of the stupidest things of 2013. by Anonymous Coward · · Score: 1

      Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

      Would have been me, but then, the problem is that people like us who think like this are usually not the ones who make it big to begin with. It is the people who are so driven, so willing to risk and gamble everything, who are not looking for a luxury beach life out but want to continue to spend 20 hour days working even more on their project, to take it even further, even bigger, even after they could score and settle... sigh..

    3. Re:Still one of the stupidest things of 2013. by Anonymous Coward · · Score: 1

      I could see doing so for something unique and special and most of all... important.

      but this is a chat program. a messenger program. Dime a dozen. one of many. just a few days ago we saw here on slashdot a list of other 'delete the message' programs to replace snapchat.

      All they really had going for them was popularity. A fad. They are not special. Not unique. And now their popularity is severely damaged. The fad may die and they will be left with nothing.

      That was a foolish thing to be driven for when offered 3 billion dollars for it.

      I sure wouldn't have taken that gamble. Smile and take the money and now you have the means to create something truely unique, special and important.

      Sure money maybe won't buy happiness. But no money won't either. And B... Billion. that's more money than most people will ever see. Tick that off your life requirements box. Money? Check. Got that. Would free up alot of time and resources to get onto what you truely want.

      Does not bode well for this company. Security problems. Yup. Turned down 3 billion? Damm.... How stupid are these guys?

    4. Re:Still one of the stupidest things of 2013. by cbhacking · · Score: 5, Insightful

      Don't be too sure of that. Purchasers routinely hire security experts to review the security of major acquisitions prior to the buy-out, with various stipulations in the agreement as to what types of findings will be the responsibility of which party. Such a review would likely have found the issue before it was announced publicly.

      So few companies are smart enough to bring in security experts *before* they need them.

      --
      There's no place I could be, since I've found Serenity...
    5. Re:Still one of the stupidest things of 2013. by Chemisor · · Score: 1

      > Turning down 3 billion just months before a giant security leak

      Coincidence?

    6. Re:Still one of the stupidest things of 2013. by Antique+Geekmeister · · Score: 1

      No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

      My work is often with slightly more mature environments, where people will be working there next year or 5 years from now, and don't want to suffer exactly this kind of disaster. So I get to see a lot of the cost of cleaning up and re-educating personnel about the risks of this kind of carelessness.

    7. Re:Still one of the stupidest things of 2013. by Fnord666 · · Score: 1

      No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

      I agree, but the rapid development life-cycle is not solely responsible. Even in this day and age, most developers still don't have a good working knowledge of application security. I feel like this is a systemic issue with the education process. Across the teaching spectrum from post-secondary education to "teach yourself" books to boot camp instruction, application security is barely given a mention. Most of the developers that I have hired that did know something about it came from larger development shops that taught application security in house, sent their developers to additional training or they learned it from their mentor. At least with a basic understanding of application security you have a second "hat" that you can put on and look at the application design from a different perspective. You have to be able to look at your application and ask yourself how you could exploit or break it. If you can't, hire or contract someone who can.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. regression communications by Anonymous Coward · · Score: 1

    this is what i look like on POT (Personal Open Terminal); (;^)-)=| so looks don't matter either

  6. Too bad its news... by akozakie · · Score: 1

    Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

    Anyway, I'm more and more convinced that keeping a successful product, taking responsibility for it and developing it further might be The Right Thing (for the customers and the code), but is not the right business strategy. If your product becomes successful enough to prompt a giga$ offer - sell. Immediately. If you really want to keep working on it, insist on keeping some technical management position (you won't have full control anymore anyway).

    1. Re:Too bad its news... by Desler · · Score: 1

      Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

      What was a correct response? That they initially claimed this wasn't an issue and blew it off?

      Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.” It goes on to note it’s added more barriers to the use of this hack.

      Looks like it was not as "theoretical" as they claimed.

    2. Re:Too bad its news... by Desler · · Score: 1

      And to add to my previous post, Gibson Security informed them of this hole in August and were ignored. In what way is waiting more than 4 months, letting exploit code be posted and user data be leaked before you actually do something a "correct response"?

    3. Re:Too bad its news... by Fnord666 · · Score: 1

      Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

      It was not the correct response. They just "hand waved" it off when they were informed of the issue, basically saying that they knew better than the researches that found the exploit. Turns out that they were wrong and paid the price.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    4. Re:Too bad its news... by akozakie · · Score: 1

      Was my previous post so hard to understand?

      Today's summary describes a correct response. I asked why stuff like this must be news, when it should, but clearly isn't, business as usual. How can "please inform us about any security problems here: x@y.z" possibly be newsworthy, not standard procedure since early beta? They could have handled the situation like this from the start. Unfortunately most young web/cloud companies do not care about security at all (heh, as if older ones were much better...) and do not react properly even if informed.

      So:

      In what way is waiting (...) before you actually do something a "correct response"?

      In no way at all and the post you just replied to never claimed otherwise.

      Why so angry? Or am I reading too much between the lines?

    5. Re:Too bad its news... by akozakie · · Score: 1

      One more unrelated thing:

      Unfortunately most young web/cloud companies do not care about security at all

      This actually isn't nearly a stupid as it sounds, at least for anything "social". Your users tend to be young and careless or just generally not very privacy and security conscious. With a bit of luck noone will attack you for a while (until you're really big). If you can show quick growth during that time, you should be able to get a huge offer and sell out before any significant attacks happen, making security 100% SEP. Money spent on fixing vulnerabilities is money wasted in this plan - caveat emptor.

      The surprising thing is that in this case it worked perfectly as described... but they didn't take the offer. Mindboggling. Sure, they could hold on to it and keep going, but if that was their plan, then they really should have thought about security and privacy from the start.

    6. Re:Too bad its news... by akozakie · · Score: 1

      See my response to Desler's second response. I was referring to today's news, not their initial response. It is a correct response and exactly what they should have done initially.

      Dang, seems my post was really misleading...

    7. Re:Too bad its news... by Desler · · Score: 2

      I'm not angry. Also, only doing anything after being exploited is not a correct response. Especially after handwaving the issue away by claiming the attack was only theoretical.

    8. Re:Too bad its news... by akozakie · · Score: 1

      One more observation: once actually hit and forced to react by the PR consequences they react quickly and properly. This shows that they were never incompetent about this. They knew from the start how to handle the issue properly. They just didn't give a [CENSORED].

      Maybe I'm wrong, but this looks a bit hopeless from the PR side. They had a good run and failed to earn from it. Oops.

  7. E-mail is not the best way by Anonymous Coward · · Score: 1

    Evidently, If one cares about improving security quickly, spreading user data all over the web is the best way to let them know.

  8. Oh sure by Fnord666 · · Score: 1

    "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

    I think it's a little too late to be closing the barn door now. The horses are all long gone. They had a major security breach and their chances of a sale or IPO have gone swirling down the toilet. The top Google search results will return news of this hack for years to come.

    Unfortunately in this day and age of web application development the security aspects of many projects seem to be an afterthought if they are considered at all. Personally I hope that they and other developers learn from this and begin being more proactive in their security considerations, but I doubt it.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  9. Re:Amateurish by __aaltlg1547 · · Score: 1

    And it would be just great if the company didn't provide a way for the public to contact their security staff, right?

  10. Visualization by justinvf · · Score: 1

    On the other hang, this was fun data to play with! http://algorithmshop.com/20140102-snapchat-leak.html#8683539695368214636