Snapchat makes no apology for breach, announces app update
One good thing to come from the leak of usernames and phone numbers of some 4.6 million Snapchat users is that the company is now forced to patch the exploited vulnerabilities.
As a reminder, the group behind the breach and the leak have (mis)used the Snapchat API to look up a seemingly unlimited number of phone numbers and usernames, and have been able to do so because of Snapchat’s Find Friends function and the practically non-existent rate-limiting.
“We were able to query for the information as fast as our connection allowed us to,” the group explained to NYT reporters, and that was after Snapchat claimed to have “implemented various safeguards to make [bulk phone number recovery and matching with usernames] more difficult to do” and that the attack described by Gibson Security was “theoretical.”
This statement was obviously what spurred the group of researchers to compile the list and make it public, in order to prove that the company has been reckless with user information.
In a blog post published on Tuesday, Snapchat makes no mention of the “theoretical attack” nor does it offer an apology to the users.
“We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames,” they state, adding that no other information apart from the partially redacted phone numbers and usernames was leaked or accessed in the attacks.
By pointing out that the Find Friends service was optional, claiming that they have implemented practices like rate limiting after being first contacted in August by Gibson Security, and finally by blaming those researchers for the breach because they publicly documented their API, “making it easier for individuals to abuse our service and violate our Terms of Use,” Snapchat is trying to shift the blame.
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number,” they added. “We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
They also invited security researchers to notify them about any similar security vulnerabilities they may find via a dedicated email address, which means they probably didn’t have one before.
All in all, I expect this non-apology to rile up quite a few hackers. Perhaps Snapchat higher-ups should consider finally investing in security.