Snapchat exploit ignored since August, allows for user data collection - Full disclosure

By Alexandra Burlacu | Dec 27, 2013 10:52 AM EST

Share This Story

  • Print
  • Email

 

It seems that popular app Snapchat packs an unpatched code flaw in its API, and the exploit allows for user data collection.

Through this exploit, rogue coders can generate scripts and tie real phone numbers to Snapchat user names, display names, as well as account privacy settings.

Follow us

What's even more alarming is that the vulnerability in question is not new, yet it hasn't been addressed. Security researchers at Gibson Security have been ignored by Snapchat since August, so they decided to go for a full disclosure to warn users themselves.

"Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits have been fixed (full disclosure: none of them)," reads the notice. "Seeing that nothing had been really been improved upon (although, stories are using AES/CBC rather than AES/ECB, which is a start), we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking the gibson."

Associating real phone numbers with Snapchat display names, user names, and account privacy settings is obviously a big threat. In an email to ZDnet, Gibson Security further highlighted that a coded script collecting user data could "automatically build profiles about users, which could be sold for a lot of money."

Snapchat is a popular service that allows users to exchange short video messages that are automatically deleted within ten seconds after they are opened. The exploit leaves this function unaffected, but may grant more access to senders' personal information when API script users implement the undocumented hooks.

According to the security firm, the hooks are not hard to remove from the API, and can be deleted with little to no effect to the rest of the API. Nonetheless, Snapchat apparently ignored these warnings since August. If the previous notice failed to prompt a response, perhaps this full disclosure will spark some real action. Snapchat has yet to issue a statement in this regards, but we'll make sure to keep you up to date as soon as we hear more.

 

 

Get the Most Popular Mobile&Apps Stories in a Weekly Newsletter

© 2014 Mobile & Apps All rights reserved. Do not reproduce without permission.

Featured Video : Intel Pocket Avatars

Join Our Conversation

Smartphones
evleaksSony Xperia Z3 may launch as minor upgrade compared to current flagship
Samsung Galaxy Alpha may not be the metal beast you’re waiting for
Apple to launch 4.7-inch iPhone 6 first, 5.5-inch model months later to avoid competition between them
Goophone i6 iPhone 6 clone up for pre-order for $159.99, ships Aug. 1
Tablet / Laptop / PC
Dell Venue 7 and Venue 8Dell unveils Venue 7 and Venue 8 Android 4.3 Jelly Bean tablets
Retina iPad Mini facing delays, may not launch until early next year
Refurbished 128GB iPad with Retina Display now available on the Apple Online Store
Samsung Galaxy Note 10.1 – 2014 Edition: Pricing and availability now official
Gadgets
Amazon LogoAmazon reportedly to launch ‘Firetube’ set-top box before 2013 holidays
Samsung Galaxy Note 3 and Galaxy Gear India launch: Pricing and availability
Samsung Galaxy Gear Android smartwatch now up for pre-order in Canada
Samsung Galaxy Gear 2 reportedly in the works already, may debut at CES or MWC 2014
OS / Software
HTC LogoHTC reportedly considering Android/Windows Phone dual-booting smartphone as Microsoft pushes for deeper Windows mobile integration
iOS 7 Chrome Incognito mode leaks private searches due to bug
Sprint HTC One Android 4.3 Jelly Bean already rolling out, AT&T, T-Mobile & Verizon to follow
Microsoft Windows 8.1 now available for pre-order
Internet / Social Media
Google DowntimeGoogle blacks out for two minutes, causes 40 percent drop in world’s Internet traffic
Xbox Music web player is live and ready for Xbox Music Pass subscribers
Facebook Android app collected phone numbers even if users never logged in
Firefox 22 brings support for web video calls, 3D gaming, and Unreal Engine 3
What's App
PayPal iOS appPayPal for iOS update brings loyalty card support, other features and enhancements
Facebook Slingshot now official to challenge Snapchat – What makes it stand out?
Pinterest update brings Guided Search to desktop users (VIDEO)
SwiftKey goes free on Google Play, boasts great new features & improvements
Copyright © 2014 Mobile & Apps All rights reserved. mobilenapps
Real Time Analytics