Researchers Reveal Snapchat Security Issues

  /     /     /  
Publicated : 22/11/2024   Category : security


Researchers Reveal Snapchat Security Issues


Security researchers release proof-of-concept code for issues they say they disclosed months ago to Snapchat



Snapchat, the popular photo messaging service, got a visit from the privacy Grinch this Christmas season after researchers released details of an exploit that abuses Snapchats Find My Friends feature.
The visit was the work of Gibson Security, which first notified Snapchat of this and other security issues back in August. According to the group, Snapchat did not respond, compelling Gibson Security to publicly release more details and some
proof-of-concept code
on Christmas Eve. The first target: Snapchats Find My Friends feature.
Typically, Find My Friends enables users to look up their friends usernames by uploading the phone numbers in their devices address book and searching for accounts that match those numbers. The researchers, however, were able to abuse that capability to do that on a massive scale.
We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers), the researchers state in their advisory. We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Zs) in approximately 7 minutes on a gigabit line on a virtual server. Given some asynchronous optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half (or, as a worst case, two minutes). This means youd be railing through as many as 6666 phone numbers a minute (or, in our worst case, 5000!).
Gibson Security did not immediately respond to a request for comment from Dark Reading. However, in an
email with ZDNet
, researchers say an attacker could use the Snapchat API to write an automated program that generates phone numbers and searches them against the Snapchat database as a step toward building a database of social networking profiles that could be sold to others.
Hopping through the particularly ‘rich’ area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes, the researchers wrote.
The researchers also presented proof-of-concept code for the bulk registration of accounts. The issue takes advantage of what the researchers say in their advisory is lax registration functionality.
The mass registration exploit could be used to create thousands of accounts, which could be used for speeding up the above process, or possibly for spam, Gibson Security told ZDNet.
Snapchat did not respond to a request for comment from Dark Reading.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Reveal Snapchat Security Issues