Over at ZDNet, Violet Blue details a couple apparent Snapchat weaknesses: one that would allow someone to match a phone number with a person’s username, and one that would allow someone to create a bunch of accounts that could be used for spamming people.
The whole ordeal is a pretty thick read – here’s the complete document by the security team that discovered the flaws – but the takeaway for the “Find Friends Exploit,” as it’s being called, is that you’d have to take a giant list of phone numbers and cross-check each number against the list of Snapchat usernames to find matches.
In other words, right now if someone wanted to find your phone number — assuming you’re in the U.S. and have it listed as part of your Snapchat account, for instance — they’d have to run all of the phone numbers in the U.S. until your number popped up and matched to your account. This process could be quicker and easier if they know you live in the 617 area code, though, since they’d only have to run a smaller subset of phone numbers.
The bigger issue, however, would be someone taking the time to just run all the phone numbers in the U.S. and matching them up against all the Snapchat users in the U.S., compiling a list and then selling that list off to spammers, stalkers or whoever else wanted access to this information. As Blue writes, “When the phone number matches a record of a Snapchat user, the malicious entity will get a record that includes the username, the associated display name, and whether the account is private or not.”
The security team that found the weaknesses – Gibson Security – posits that someone could run all the phone numbers in the U.S. in less than 27 hours. The researchers also said that they’ve reported these weaknesses to Snapchat but have never received a response.
Long story, short: It doesn’t appear that any of this information has been used maliciously yet, but it’s still early. We’ll see if Snapchat takes steps to clamp this up or if someone else takes the time to churn through all the data.
Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored [ZDNet]