Privacy lenses pointed at Snapchat for making phone number searches too easy

Filed Under: Featured, Privacy, Vulnerability

Snapchat is a hip and happening mobile app, and you've probably heard of it, though not necessarily in flattering terms if you are interested in security.

Snapchat's primary purpose seems to be to suck you into thinking that it is safe to share risky (or risque) photos of yourself, provided that you do so via the Snapchat app, rather than via email or a regular photo-sharing service.

That's because the Snapchat app gives recipients only a few seconds to look at your picture - just long enough for them to mouth the words, "My goodness, look who's in the background...that must be..."

And before they can remember whether it was Monica or Mary (or Daniel or Dave)...

...poof!

The photo vanishes, and can't be downloaded or opened again.

But security experts have laughed from Day Zero at the idea that Snapchat images could truly be said to disappear after viewing.

Even Snapchat managed to confuse itself, as we reported earlier this year, making the unlikely claim in Google's Play Store that:

Snapchat is the fastest way to share a moment with friends. You control how long your friends can view your message - simply set the timer up to ten seconds and send. They'll have that long to view your message and then it disappears forever.

The next sentence, however, boasted that;

We'll let you know if they take a screenshot!

In which case, of course, it wouldn't have disappeared at all, let alone forever.

(As Naked Security asked more than a year ago, "what action are you going to take if you share a photo in confidence, only to discover that someone has chosen to keep a permanent record?")

So the idea of making an absolute claim about the concept of a message that "disappears forever" was impertinent nonsense from Snapchat to start with.

And that's before you take into account that:

  • You can use a mobile phone to snap a pretty decent snapshot of a snapshot displayed of the screen of a mobile phone, and the sender will be none the wiser.
  • When Snapchat was still openly promising disappearing photos, its app wasn't even trying to delete snapshots from your phone after you viewed them: images were merely renamed so that most (but not all) image viewers would ignore them.
  • Snapchat has admitted sharing images with law enforcement - something it must have known it would need to do to comply with regulations - who, we assume, did not delete those photos after they'd been viewed.
  • Snapchat's image encryption apparently uses a symmetric cipher with hardwired keys, so any user or server who has intercepted a web request (admittedly an HTTPS-protected one) in which you fetched an image can decode it later at their leisure, no matter whether you or Snapchat want them to.

Snapchat's liberal attitude to technical accuracy didn't stop Facebook from offering recently to write a cheque for $3,000,000,000 to buy it outright - with other potential investors apparently thinking of paying $4 billion for that privilege.

(Even more dramatically, Snapchat's 23-year-old founder and CEO, Evan Spiegel, turned up his nose at both offers.)

To be fair, the company has now backed off from its "disappears forever" claims.

The Play Store promotional text now says:

Please note: even though snaps are are deleted from our servers after they are viewed, we cannot prevent the recipient(s) from capturing and saving the message by taking a screenshot or using an image capture device.

But a new round of criticism has arisen, with a group of hackers who identify themselves only as Gibsonsec publishing proof-of-concept code for exploiting two vulnerabilities they claim Snapchat has failed to fix since August 2013.

The first exploitable vulnerability is that you can use the Snapchat API (Application Programming Interface) to perform apparently unlimited phone number lookups.

Once you login with an active username and password, says Gibsonsec, you can make web requests to the Snapchat find_friends API function to check whether there is a user X with phone number Y.

The idea sounds reasonable enough: if you know someone's phone number, you can use it to help find whether they're on Snapchat.

But the Gibsonsec researchers claim that in their tests, they were able to check about 1500 numbers per minute using a single cloud-based virtual server; they further estimate that 5000 number lookups per minute ought to be fairly easy to do with some improvements to their code.

That would let you get through 7,000,000 lookups a day from a single server.

That's the sort of request volume it would be prudent for Snapchat to limit, in order to prevent stalkers and crooks from easily searching entire telephone area codes for otherwise-unlisted individuals.

Of course, one way for Snapchat to restrict the number-finding power of unscrupulous users would be to lock out any accounts that make too many requests.

But Gibsonsec's second exploitable vulnerability would circumvent that sort of protection: apparently unlimited registration of new accounts.

Many web services put one or more speed-bumps in the way of account creation, for example by sending an email containing a URL that needs to be visited to activate a new account, or by asking the applicant to solve a CAPTCHA.

Spammers, scammers and other miscreants love services that make it easy to automate the creation of new users, and to recover information abour existing users.

Snapchat really ought to do something about automated account registration and over-zealous phone number searches.

Mind you, when you've just turned down $3 billion in cash from Facebook, slowing anything down probably sounds like a bad idea.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog