Already, 2014 has started off with a data breach – on New Year’s Day, Snapchat, a popular social network for photo messaging, fell victim to a hack attack. A website called SnapchatDB.info posted the usernames and redacted photo numbers of about 4.6 million people using the service.
And apparently, Snapchat knew for months it had a security hole. In August 2013, a small Australian security group called “Gibson Security” told Snapchat there were issues, and it published a full account of security vulnerabilities that hackers could potentially exploit – and in this case, did exploit. However, Snapchat didn’t respond to the group until Dec. 28, 2013.
While Gibson Security said it doesn’t have anything to do with SnapchatDB, nor does it condone its actions, one of the members of Gibson Security exchanged emails with Forbes’ J.J. Colao to explain how this happened. Writing anonymously, he or she says their post about the vulnerability indicated it’d be easy enough for hackers to access the social network’s database through its Find Friends feature.
The feature lets users upload their phone’s contacts to Snapchat, making it easier for them to find contacts who are also Snapchat users. It sounds convenient, but if someone uploaded a huge set of phone numbers, like every number in the U.S., it’d be possible to create a database of the results and match usernames to phone numbers – and that may have been what happened.
“With Snapchat responding like it is, it might be the wake up call it needs,” the source said in an email. He or she adds Gibson Security is made up of three friends, students who lack any formal training. But they were still able to upload a huge amount of numbers in just minutes.
“We were able to crunch through 10,000 phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ – we did the Z’s) in approximately seven minutes on a gigabit line on a virtual server,” the group said, adding that hackers could tweak the system to upload 10 million numbers a day, if they so chose.
For more, click the “Original Article Source” link.
