I really feel like SnapChat is fumbling this whole thing. They ignored the security warning, and now seem to be blaming the security group for the leak of info:<p>>On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.<p>The funny thing is that folks on HN and in the tech community generally will fault SnapChat for their callous attitude to security and pitiful response. But 99.9% of their users won't know or care, and investors will consider this a "lesson learned" and move on without a second thought.<p>Once the 24/hr news-cycle moves past the hyperbolic "SnapChat Hacked!" headlines, this ordeal and their pathetic response will slip into the forgotten-ether of low-impact data leaks.
I implemented a "find friends" server side functionality for a mobile app (due to a similar business requirement of allowing new users to locate friends).<p>After prompting the user for the ok, the mobile app would upload the entire address book to the server. I would check for matches and return a maximum of 25% of total contacts as being valid (randomly so you wouldn't know which numbers really didn't exist). If there were more hits they would be placed into a queue and sent periodically as "your friend has joined!" notices which also increased engagement.<p>Subsequent checks were done by again uploading the entire address book, however I would check against the previously stored phonebook (numbers only hashed with a per user salt) and limit the number of valid hits returned based on the delta of the address book. So if you kept sending 1000 new numbers every time, you wouldn't get any new matches.<p>It was also rate limited per account (which required a verified phone number). All the logic took less than a few hours to think up and implement. Here you go Snapchat, now fix your shit.
Wow. Talk about a non-reaction. As if bad code resulting in the disclosure of 4.6MM numbers and IDs is a non-issue.<p>Posted something about this on FB, achieved zero reactions which really surprised me, until I realized that some think it's only for sexting... and thus nobody is willing to admit they've installed it (it's useful for other stuff as well, I'm my own emoticon).<p>Several of my friends are in the list (known nicks match known numbers, showing exactly what's the problem here).<p>Maybe I should post something on their wall? :-)
<i>On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.</i><p>Security through obscurity? Great way of protecting your users.<p>It's pathetic that they believe that others haven't already worked out their protocol and were using it.<p>Funny how they have had to quickly backtrack from this blog post:<p><a href="http://blog.snapchat.com/post/71353347590/finding-friends-with-phone-numbers" rel="nofollow">http://blog.snapchat.com/post/71353347590/finding-friends-wi...</a>
There is an easier way to solve this issue: Bug Bounty.<p>It worked for Google, it worked for Facebook and its working for Yahoo! Infact, it worked so well for Google that they recently increased the rewards. A venture-backed startup like Snapchat that stores private pictures (even temporarily) should have no trouble paying out $5k a few times for vulnerabities.
It's hard for me to get too worked up over this.<p>I mean, do phonebooks still exist? They used to list everyone's numbers <i>and their names and addresses</i> and then leave them on everyone's doorstep. This is just a (partial) phone number and username.<p>About the worst abuse I can think of is that you have someone's username from another service, and you can maybe find their phone number.<p>This seems mild compared to, say, Facebook allowing you to search by email and find a user's facebook profile.
Why is user info presented in the clear to anyone who asks for it via their api?<p>Here's a more sane approach I imagine:<p>Allow sending snaps to a phone number (rather than to a username - since you would not know it the time), and attach a "friend request" as part of delivery. When the person at that phone number retrieves the snap they have the additional option of accepting the friend request which then (and only then) exposes their user info to the originating party.
That is one of the worst 'apologies' from I startup I've ever read.<p>There is none " We fucked up, sorry, we're fixing it". They speak of the leak as simple 'hack' like someone who was capable of finding all your friends using facebook and random luck.<p>I hope they fix this right, and be more apologetic the next time.
A 322 word blog post, no apology and 6 instances of the word 'abuse'.<p>The PR message that Snapchat just sent is not a good one. Their target demographic may not care much, but at the end of the day, this brand just dropped a big ball and lost an opportunity to build something better.
I tried to send a snap ( via <a href="http://kittenbot.gustav.tv/" rel="nofollow">http://kittenbot.gustav.tv/</a> ) to all the leaked users. Turns out the app crashes a lot after around 10k friends. :D
So in a nutshell they are saying that some of their users are risky enough to use a feature that discloses their phone number to them, and they consider this information as non-sensitive data.<p>Snapchat is and will always just be a fad, it's the current social network flavour of the time, and when something more interesting comes along, I will bet that the 4.6M users will be inactive in no time.<p>This is also why their users aren't concerned with this leak, because the premise in snapchat is a sort of leaking of your good and bad moments, with no filter.
But i'd be pretty sure that if it turns out they save the images and videos, it would be much bigger of a deal, because it ruins this premise.
"We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns."<p>"Quickly" is a relative term here, I guess.
We're going to be releasing a statement shortly.<p>Here: <a href="https://gist.github.com/anonymous/8231005" rel="nofollow">https://gist.github.com/anonymous/8231005</a>