Alison K. Lanier
The massive New Year’s Snapchat hack could have been prevented according to an Australian security company, who forewarned Snapchat about security loopholes.
Gibson Security released a report on Christmas day that described the security issues they found in Snapchat’s software. Snapchat responded, stating, “[over] the past year we’ve implemented various safeguards to make [hacking user data] more difficult to do.”
About 4.6 million Snapchat users had their data posted online and made available for download in the massive hack. The information was made available by the group, SnapchatDB.
However, the overwhelming evidence of Snapchat’s lack of protection of users’ private data, such as phone numbers, has become abundantly clear. Which, as SnapchatDB’s statement makes clear, was the purpose of the exercise.
The motive behind the attack is far less sinister than it might originally appear. A site called SnapchatDB.info, which is hosting the usernames and phone numbers for those almost 5-million members, released a statement to TechCrunch describing their methods and their motivation.
The data was apparently, according to the statement, accessed via a flaw in Snapchat’s security. And the motivation was just that: to indicate this gaping security loophole. “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” SnapchatDB said in its statement.
The tone of the statement was far from threatening, and instead more idealistic than malicious. “It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal,” according to the SnapchatDB statement. “Security matters as much as user experience does. We wanted to minimize spam and abuse that may arise from this release.”
“Our main goal is to raise public awareness on how reckless many Internet companies are with user information,” according to the statement. “It is a secondary goal for them, and that should not be the case. You wouldn’t want to eat at a restaurant that spends millions on decoration, but barely anything on cleanliness.”
SnapchatDB blamed the security flaw on the laziness of Snapchat’s team. The language of the statement becomes most tense describing the perceived—and evidently well-proven—security lapses. “We used a modified version of [Gibson Security’s] exploit/method,” according to the statement. “Snapchat could have easily avoided that disclosure by replying to [Gibson Security’s] private communications, yet they didn’t.”
“Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data. Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough,” according to the statement. “Even now the exploit persists. It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent.”
A Successful Campaign
SnapchatDB’s plan seemingly worked like a charm. The company has reportedly again, according to Tech Crunch, “identified and patched” the security loophole.
NBC reported about two weeks after the hack that Snapchat had apologized for higher levels of spam from the Snapchat Team, as the company said in its Tumblr post that the spam was the “consequence of a quickly growing service” rather than an issue related to the hack.
Snapchat’s app has recently been updated, according to NBC, which should “help lock things down.” Snapchat and NBC suggest that Snapchat users can best protect themselves by limiting the number of snaps they receive by setting their preferences on the app so that they only receive snaps from friends.
TechCrunch reported that it verified the accuracy of the information posted by SnapchatDB when one TechCrunch reader found his own name and data posted. He also found the information for Snapchat co-founder Evan Spiegel, according to NBC.
Spiegel and his former Stanford University frat brother Bobby Murphy founded Snapchat only about two years ago. Their company rejected a $3 billion buyback offer from Facebook, according to NBC, in November.
With the constantly updating and shifting privacy settings, young people—Snapchat’s primary demographic—are very aware of their personal data’s presence on the Internet. However, that does not necessarily mean that they are as careful as they might be with where that data is hosted and released.
The responsibility for managing and safeguarding lies with the websites, who have all of this information behind their walls. Snapchat has apparently received its wake-up call and repaired its identified security issues.
More To Read: