Snapchat - GibSec Full Disclosure

What&#x27;s interesting to me is how the passage of time seems to have affected how Snapchat responded to this.<p>About twelve months ago I found a very similar vulnerability in SnapChat that could be used to provide a cellphone number for any given username (it was probably slightly more serious than what Gibson found, it was far easier to exploit).<p>Anyway, I ended up guessing Evan Spiegel&#x27;s e-mail address along with a few other SnapChat staff and got in touch with them. They responded in twenty four hours, patched it, and we had a brief chat about how I ended up finding it in the first place. This was back when the API was still running on Google App Engine (...maybe it still is, although that would be surprising). I got the impression it was held together with string, but they engaged with me and it got fixed.<p>I would be interested to know how GibSec engaged with Snapchat, because their experience seems very different to mine, and yet the vulnerabilities are very, very similar.

I hate to be that guy, but what&#x27;s the big deal? Where&#x27;s the full disclosure? It looks like they&#x27;re just documenting the API, which is not really disclosing much. Anyone can fire up burpsuite proxy and inspect HTTP requests and responses from their phone.<p>Now onto their PoC. So they don&#x27;t have rate limiting on some API requests. That&#x27;s pretty dumb for a service with a public API, but in my experience, most websites don&#x27;t limit requests rate, because it&#x27;s always a &quot;let&#x27;s toughen up security&quot; after-thought. I remember GAE having some anti-DDoS measures, so they may be relying on that while growing the business.<p>The bulk registering of user accounts is more serious though and could be easily fixed (to some extent) with a captcha. This may be worthy of a tweet, maybe. Instead, Gibson listed all of SnapChat&#x27;s APIs, even though most of them were irrelevant to the PoC, and slapped &#x27;Full Disclosure&#x27; on it.<p>This is high-school level security researching. We were finding the same &#x27;exploits&#x27; in high school. You could probably find these with any service that&#x27;s only starting out. Glad to see that&#x27;s the best Gibson could do. If I were Snapchat, I&#x27;d fix the two issues and then thank Gibson for spending the time to create an API page for SnapChat.

ECB encryption. No MAC. Brand new system. Tell me again how developers should be building their own crypto?

I thought it was just another snapchat api reverse engineering &#x27;til I got to <a href="http://gibsonsec.org/snapchat/fulldisclosure/#obligatory-exploit-pocs" rel="nofollow">http:&#x2F;&#x2F;gibsonsec.org&#x2F;snapchat&#x2F;fulldisclosure&#x2F;#obligatory-exp...</a>

On the subject of Snapchat - does anyone really believe that they don&#x27;t permanently retain a copy of the images on their server?

&gt;1 (note: it&#x27;s still encrypted prior to gzipping).<p>why

What are the alternatives to EBC? Why not use CBC?