Snapchat cannot afford security slip ups


On New Year’s Eve, anonymous hacker group SnapchatDB released a database of 4.6 million Snapchat usernames and phone numbers, according to the Los Angeles Times.

Irene Wang | Daily Trojan

Irene Wang | Daily Trojan

The unidentified hackers posted the information with the last two digits of the phone numbers removed on a site called SnapchatDB.info, claiming that their motivation to leak the information was to raise public awareness about the need for enhanced security measures. Regardless of the hackers’ supposed good intent, the hack reveals a serious need for the photo messaging application to address its security issues to ensure that this type of leak never happens again.

This security crisis arose in late August when an Australia-based group of security researchers known as Gibson Security published a “Snapchat Security Advisory.” In doing so, Gibson Security, which is unaffiliated with SnapchatDB, exposed a way to manipulate Snapchat’s servers to find its secret application-programming interface (A.P.I), a specification that describes how one piece of software communicates with another, thus making it easier for anyone who could obtain the data to decrypt, view and even replace messages. The ability for people to easily obtain this information proved to be detrimental not only to Snapchat’s mantra of privacy, but also to its millions of users’ security.

Gibson Security also discovered another security issue, which they dubbed the “find_friends exploit.” Snapchat encourages its users to register their phone numbers and allow the app to scan their contacts lists to locate friends who have also joined, a feature Snapchat calls “Find Friends.” Using the A.P.I., Gibson Security realized that they could transmit phone numbers to Snapchat’s servers and match them with their corresponding usernames. One of the main problems behind this was that Snapchat did not curtail the number of phone numbers that could be checked at once. In one test, Gibson Security was able to get 75,000 numbers at once.

This security breach, however, goes beyond simple usernames and phone numbers. By combining this data with databases of commonly used passwords or other information, experts say that hackers can sometimes steal consumer identities and access their financial accounts. With the use of social media and other Internet sites rapidly increasing, and this type of private information becoming more and more accessible, such threats are bound to increase, making Snapchat’s security vulnerabilities all the more dangerous to its application’s fifty million users.

Despite this serious breach of security, Snapchat’s initial responses to the leak were minimal and downplayed. It took nine days before Snapchat formally apologized for the problem in a blog post, which noted two security improvements: First, that the app will more explicitly allow users to decline attaching their phone number to their username and, second, that the app will require new users to verify their phone number before using Find Friends, making it more difficult to utilize the exploit.

But Snapchat’s 50 million users deserve more than simple statements of apology. They deserve more than weak security measures. Rather, they need a platform that guarantees their privacy and anonymity — one of the very reasons behind the application in the first place.

With new communication applications and rising competition everyday, Snapchat users need not feel loyal to the app when there’s no incentive of security. There’s nothing stopping users from using Instagram’s new messaging feature instead. This hack was made under the alleged motivation of exposing the security threats in order to raise public awareness.

Next time, Snapchat might not be so lucky.

 

Yasmeen Kamel is  a freshman majoring in business administration.