Snapchat comments on alleged exploits that crack the wall of secrecy on the app

Since August, Gibson Security has been trying to warn Snapchat of an exploit that could match the usernames of Snapchat users, with their phone numbers. For a site that has become wildly popular because photo, video and written messages disappear after ten seconds, the hack could be quite painful. The app has become so red hot that the powers that be allegedly turned down $4 billion for the operation from Google. And that was after the last financing round done in June valued the company at just $800 million.

On Christmas Eve, Gibson Security sent out a tweet containing Snapchat's API and a pair of exploits for the site. This now allows anyone to copy the API and go after the app's 8 million users. Gibson also claims that the metadata can be used with other APIs to "automatically build profiles about users, which could be sold for a lot of money."

The Find Friends exploit, takes a range of phone numbers and matches it up with Snapchat usernames. The Bulk Registration Exploit allows someone to bombard the site with new registrations. Both were known to Snapchat for four months, according to Gibson, and could have been closed with ten lines of code. By reverse-engineering the iOS and Android version of the app, Gibson found the security gaps. Besides this, the company says that Snapchat is not telling the truth when it claims that its users are 70% female.


Snapchat has released a brief statement saying that it has added safeguards and barriers over the years to prevent an exploit like Find Friends from matching Snapchat usernames with phone numbers. Even if there is nothing to Gibson Security's claims, it should be interesting to see if even the slightest hint of a security breach will negatively affect the value of Snapchat. Wonder if Snapchat wishes that they had accepted Google's money.


source: @GibsonSec, ZDNet via TechCrunch