Snapchat: Sorry for Snap Spam

by Scott Martin, USA TODAY

snapchat college confidential

(Photo: Jefferson Graham, USA TODAY)

SAN FRANCISCO — Snapchat has issued another mea culpa to users of the popular messaging service.

Venice Beach, Calif.-based Snapchat on Monday said it had received complaints over the weekend of a jump in Snap Spam on its service, which allows people to send disappearing photo and video messages.

“We want to apologize for any unwanted Snaps and let you know our team is working on resolving the issue,” said Snapchat in a company blog post.

Last week, Snapchat issued updates to its service to address privacy concerns and apologized for a recent data breach. Snapchat’s app had a known vulnerability that allowed hackers to obtain a reported 4.6 million user names and phone numbers, posted to an online database.

Hackers had discovered a privacy hole in its Find Friends feature, which allows people to upload contact lists to Snapchat, including phone numbers.

The startup said that the Find Friends data exposure doesn’t appear to be the cause of the increase in spam.

“As far as we know, this is unrelated to the Find Friends issue we experienced over the holidays,” Snapchat said in the post.

full story: http://www.usatoday.com/story/tech/2014/01/13/snapchat-sorry-for-snap-spam/4459037/

 

Snapchat responds to privacy scares by letting users unlink their phone number

BY JON FINGAS

Snapchat 5 for iOS

Snapchat has just taken its first steps toward addressing the exploits that led to a leak of 4.6 million phone numbers late last year. Updates to its Android and iOSapps now let you opt out of linking your phone number to your username, preventing others from easily finding you. The company is also reducing the chances for abuse by requiring that you verify your phone number when using Find Friends. They’re not perfect remedies by any means — we’re sure that some would prefer that phone number use is opt-in rather than opt-out, for instance. Snapchat says it’s working on more improvements, though, so it’s at least aware that there’s more work to do before its users can truly feel at ease.

SOURCE: Snapchat BlogApp StoreGoogle Play

full story: http://www.engadget.com/2014/01/09/snapchat-responds-to-privacy-scares/

Why hackers want your phone number

Lessons from the data breach at Snapchat

By Quentin Fottrell

Though most people wouldn’t give their phone number to a stranger on the street, they’re happy to share their digits with Google GOOG -0.73%  , FacebookFB -0.28%  , and other sites. But as millions of young Snapchat users just learned, phone numbers are valuable information to hackers.

On Wednesday, Snapchat became the first company to have its data hacked in 2014 when 4.6 million account usernames and partial phone numbers were posted online as a warning to those using the photo messaging service. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” the alleged hackers told tech site TheVerge.com . A spokeswoman for Snapchat declined to comment, but the company released a blog postsaying it’s added counter-measures “to combat spam and abuse.”

Consumers should be wary about sharing their mobile numbers, security experts say. “Phone numbers are unique identifiers that tend to last for a long time,” says Michael Fertik, CEO at Reputation.com, a site that helps consumers protect their privacy online. “You change your phone number much less often than your IP address and probably even your home address.” While Snapchat users have fake usernames, many people use the same I.D. across a range of social networks, says Graham Cluley, a U.K. security blogger and technology consultant. “Use a different user I.D. than the one you use publicly on Facebook and Twitter,” he says. What’s more, typing just a mobile number into Facebook will reveal the profiles of the owner if he or she added it to their account information.

Snapchat’s alleged data breach is also a misstep for a company founded on the principle of preserving your online anonymity. Launched in September 2011, social networkers can send “Snaps”—photos or videos—that last between 1 and 10 seconds, depending on the time limit set by the sender. The service—which reportedly spurned a $3 billion offer from Facebook last November—has over 100 million users and shares 400 million snaps daily. “It’s embarrassing for Snapchat,” Cluley says, but could be more embarrassing for its users. After all, photos can be saved by recipients who “screen-grab” them in time. “These photos and mobile numbers could potentially be used for cyber-bullying and blackmail,” he says, especially if they’re connected to a real name.

Hackers can also fake a caller I.D. by using your number to sidestep a security step, says Bo Holland, founder and CEO of AllClear ID, an identity protection firm. Even without a real name, however, consumers can be spammed with text messages—known as “smishing”—asking people to click on links that contain malware—a virus that can retrieve data stored there: photos, contact lists, emails and passwords. “Phone numbers are a building block for hackers,” says Adam Levin, co-founder of online security company Identity Theft 911. Some 37.3 million Internet users faced phishing attacks in 2013, an 87% rise over the last three years, according to a survey from online security company Kaspersky Lab. “Smartphones are not just communication devices,” Levin says. “They are data storage devices.”

So why do companies want your mobile number? “It’s is a necessary and useful part of e-commerce,” Fertik says, “but you should not give it without a specific reason.” For those waiting for a package or taking a flight, for example, it helps to receive a text message about delays. Plus, mobile numbers can be a useful two-factor authentication, says e-commerce consultant Bryan Eisenberg. Step 1: input your username and password to your email, social networking or bank account. Step 2: receive a text message to validate any changes. This can also be done with a secondary email address or Google Voice number that redirects calls and texts to your cell; for that reason, Eisenberg has given his mobile number to Google, but hasn’t given it to Facebook. He doesn’t have a Snapchat account.

full story: http://www.marketwatch.com/story/why-hackers-want-your-phone-number-2014-01-03

 

Snapchat Says It’s Improving Its App, Service To Prevent Future User Data Leaks

by  (@panzer)

Snapchat has released an official postabout the recent leak of 4.6M usernames and phone numbers from its servers. The post blames what it says was ‘abuse’ of its API on the leak, but acknowledges that the way that it stores the information made it possible for a database of numbers to be used to sniff out usernames and match them up.

Changes will be made to both Snapchat’s apps and the service in order to prevent future leaks including being able to opt out of the Find Friends feature that uses phone numbers.

Snapchat says that it was notified of the possible security risk (publicly) in August and took some steps to correct it including limiting the speed at which its API could be queried. In what is one of the most cringe-worthy security moves in recent memory, Snapchat posted a response late last month to claims of risk that outlined just how a hacker might be able to match usernames to phone numbers.

In the post, they said “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”

That is exactly what the group behind the leaked SnapchatDB.info database says that they did. The result was a trove of 4.6M Snapchat accounts matched up with usernames and phone numbers.

Despite partially redacted phone numbers and usernames, matched conveniently in an online repository, Snapchat says that “no other information, including Snaps, was leaked or accessed in these attacks.”

Notably, Snapchat’s public response to this hacking does not include an apology of any sort to its users who have had their user names or phone numbers publicly exposed. Perhaps its an effort to avoid an admission of guilt, but it still feels like a bad effort.

The person(s) responsible for releasing the names and numbers told Techcrunch that “raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.”

The group says that they were following the research of Gibson Security, who gave a detailed account of how such an exploit could be accomplished to ZDNet in late December. The researches came forward after they say that they approached Snapchat and got no response from them on the matter. Snapchat’s statement today appears to confirm that its reverse engineered API was used to obtain the user info.

As our own Josh Constine mentioned about this issue late last month, Snapchat’s first mistake was to not take the efforts of ‘white hat’ hackers seriously. If Gibson Security did indeed approach Snapchat far in advance of going public, their revelations should have been taken seriously and acted on with vigor.

Snapchat’s first blog post on the issue in December acknowledged the potential vulnerability publicly and noted that some countermeasures had been put into place. But, in the same breath, it noted that there was still a method that could be used to accomplish this kind of leak. Yet it didn’t fix it.

Now, Snapchat says that it will add an opt-out to its apps which will allow people to choose not to appear in the Find Friends feature after they’ve used their phone number for verification purposes. It says it is also ‘improving’ the rate limiting it used to throttle API requests previously and adding ‘other restrictions’ to address future attempts to abuse the service.

Here’s the full post from Snapchat:

When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat – so we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.

A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.

We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.

We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.

We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com.

The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.

Image Credit: Daniel Brusilovsky

full story: http://techcrunch.com/2014/01/02/snapchat-says-its-improving-its-app-service-to-prevent-future-leaks/

Snapchat update planned after user breach

by Brett Molina, USATODAY

(Photo: Kevork Djansezian Getty Images)

Snapchat says it will launch a new version of its popular messaging app that lets users opt out of a feature exploited by hackers on New Year’s Eve.

The service, which lets users post photo or video messages that quickly disappear, includes a Find Friends option where users can discover friends by their phone number.

In a blog post published Thursday, Snapchat says an “attacker” used the feature to create a database of usernames with redacted phone numbers. The company says no other info such as messages were compromised.

Snapchat says a future app update will allow users to opt out of the Find Friends feature.

“The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse,” says the company’s post.

Snapchat did not confirm how many users were impacted, but several reports claim the database contains 4.6 million usernames and phone numbers.

Last week, Snapchat warned Find Friends could be exploited after a security group demonstrated how to upload a large database of names and phone numbers, but claimed “various safeguards” made the practice more difficult to execute.

Follow Brett Molina on Twitter: @bam923.

full story: http://www.usatoday.com/story/tech/2014/01/02/snapchat-security/4295789/

 

Confirmed: Snapchat Hack Not A Hoax, 4.6M Usernames And Numbers Published

by  (@catherineshu)

A site called SnapchatDB.info has saved usernames and phone numbers for 4.6 million accounts and made the information available for download. In a statement to us, SnapchatDB says that it got the information through a recently identified and patched Snapchat exploit and that it is making the data available in an effort to convince the messaging app to beef up its security. We’ve also reached out to Snapchat.

SnapchatDB said:

Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does.

We used a modified version of gibsonsec’s exploit/method. Snapchat
could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t. Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.

We wanted to minimize spam and abuse that may arise from this release. Our main goal is to raise public awareness on how reckless many internet companies are with user information. It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.

Earlier we speculated that SnapchatDB might be a hoax meant to call attention to the app’s security issues but, as it turns out, it’s real–at least one member of our editorial team has been affected. A reader also told us he found his own number, that of several friends and Snapchat founder Evan Spiegel in the list. On Hacker News, several people have had trouble downloading the data files (I just got an error message for both of them, but that may be because of high traffic), but a Jailbreak subreddit user who saw the list said that only numbers in some parts of the U.S. have been published so far. If you have not been able to download the list, you can use this site created by developer Robbie Trencheny to see if your username was included.

SnapchatDB said it “censored the last two digits of the phone numbers” in order to “minimize spam and abuse,” but it might still release the unfiltered data, including millions of phone numbers.

The Next Web did a WHOIS lookup on SnapchatDB’s domain and found it was created just yesterday on December 31. The registrant’s name is protected, but its mailing address and contact number are both listed in Panama.

SnapchatDB screenshot 2The site appears to have been created in response to recently identified flaws in Snapchat’s security. Last week, ZDNet published an article on how white-hat Gibson Security researchers had tried to alert Snapchat to ways that hackers would connect usernames to phone numbers for user in stalking, but were ignored. Gibson Security then published the exploit publicly on Christmas Eve.

The firm said that hackers could use two exploits to gain access to users’ personal data, including their real names, usernames and phone numbers, through Snapchat’s Android and iOS API. Snapchat did offer a public statement, but as TechCrunch’s Josh Constine wrote, it wasn’t very satisfactory because it did not offer details on how its countermeasures would work, such as rate limiting, bad IP blocking, or automated systems that scan suspicious activity. Snapchat said:

“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.”

The Gibson Security report and SnapchatDB are both reminders that even in an ephemeral messaging service, it would be a mistake to be lulled into a sense of security about the information that you do have stored with the app. “People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with,” SnapchatDB stated on the site.

full story: http://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-of-4-6m-snapchat-usernames-and-numbers/