Following news that as many as 4.6 million usernames and phone numbers were captured on its site and posted on the Web, social video company Snapchat said late Thursday it will release a new version of the vulnerable app. The company’s response to the breach raises more questions about how prepared businesses are to deal with such leakages of their confidential info, which are becoming more common.
The company has come under heavy criticism for its relatively slow response to addressing the problem, especially since the security group that discovered the flaw, Sydney, Australia-based Gibson Security, first reported it in August. A follow-up warning was published on Christmas Eve. Some of the criticism has been directed at Snapchat’s lack of apology for ignoring the warnings.
In its initial announcement in August, Gibson Security noted that the data obtained from the Snapchat vulnerability “could hypothetically be used to stalk” users, or it could be sold to companies that use the data in conjunction with other databases to create a more complete confidential data profile of users.
Encouraging Users to Find Friends
In a posting Thursday on its official blog, Snapchat noted that it first implemented Find Friends in the early days of the company, in order to encourage people to find other friends using the service. With the optional Find Friends, a user can enter a phone number into a profile, allowing offline friends to find the Snapchat username through the number.
Last Friday, Snapchat acknowledged the vulnerability that Global Security had highlighted. An attacker could upload a large number of random phone numbers, such as from a phone book, and then acquire large numbers of matching Snapchat usernames.
That’s exactly what happened on New Year's Eve, when a hacker or a group calling itself SnapchatDB! posted a database of phone numbers, usernames and the users’ regions. Snapchat said no other data was compromised. The hacker was apparently trying to operate at least partially in “white hat” warning mode, blocking out the last two digits of each phone number. But the posted database also contains the offer for anyone to submit an email to request the unredacted phone numbers, which would be considered “under certain circumstances.”
‘Reluctant at Patching the Exploit’
The information, SnapchatDB! said on the site, “is being shared with the public to raise awareness on the issue.” It added that Snapchat was “too reluctant at patching the exploit until they knew it was too late.” Gibson Security has said it has no connection to the hackers, and the company has criticized the posting of the user data. Gibson has also published a tool on its site so that users can find out if they’re in the purloined database.
As SnapchatDB! has pointed out, people tend to employ the same usernames on various sites, so the usernames could probably be found on Facebook, Twitter or elsewhere as well.
In its posting Thursday, Snapchat said it will be releasing an updated version of Find Friends that allows “Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," and there will now be improvements to “rate limiting and other restrictions to address future attempts to abuse our service.”
The Underside of BYOD
Rate limiting sets limits to the numbers of usernames that can be obtained through this feature. The other restrictions are unspecified, and the timetable for the fixes was not announced. Additionally, the company posted an email address for security experts to post any newly discovered vulnerabilities.
Snapchat’s adventures in security issues follows the recent hacking of Microsoft ’s Skype and the information theft of millions of credit cards from Target. While Snapchat is exclusively a consumer app, the age of bring-your-own-device (BYOD) could mean that consumer security issues are business security issues as well.
Charles King, an analyst with industry research film Pund-IT, told us that Snapchat-like vulnerabilities are the underside of the BYOD proposition -- that companies “allow employees to use the tools they want to,” in order to be “maximally productive.”
But that means the consumer or business tools are vulnerable. King said that if he ran an IT department, he “certainly would” be concerned about this issue, but that aside from educating employees about the vulnerabilities and cautioning them to be aware, the only long-term solution might be implementing separate business and personal workspaces on mobile devices, such as the solutions Blackberry and VMware offer.