Snapchat has a rather notorious record when it comes to heeding security researchers. Gibson Security has published two major Snapchat exploits which, the firm says, were initially reported to Snapchat but the company didn’t respond.
The exploits that Gibson has exposed in Snapchat’s iOS and Android apps are very significant. One of them, for instance, allows a hacker to easily match the names of Snaptchat users with their correspondent phone numbers. All the hacker needs to do is provide a list of phone numbers. The ‘find_friends’ exploit can then be used to find if any of the numbers in the list have a Snapchat account associated with it.
This directly compromises the security and privacy of Snapchat users. The worst part is that the Snapaccount username associated with a number can be discovered even if it is private. This data, Gibson Security says, can be maliciously used to create a database of Snapchat users and selling this data to others.
Another exploit brought to light by the firm involves the creation of fake Snapchat accounts. Termed the ‘Bulk Registration exploit‘, this loophole allows anyone to create thousands of Snapchat accounts. Such fake accounts can then be used for spam or any other malicious activity.
Both exploits could easily have been fixed by Snapchat which needed simply to add a few lines to its code to patch the vulnerabilities. However, not only has the company not done so, it has refused to entertain Gibson Security’s discovery. As a result, the security firm has published the two exploits, at the same time citing that privacy is a user’s right and Snapchat must accord that right to its users.