Snapchat blurts out the S-word

Filed Under: Data loss, Featured, Vulnerability

Team Snapchat, as it calls itself, has finally used the S-word.

Over Christmas 2013, the selfie-sharing site was confronted with warnings that its "find a friend by phone number" service was open to abuse.

Snapchat wrote off the risk as "theoretical."

We'll assume that Snapchat didn't mean to throw down the gauntlet with its choice of words, but that seems to have been the outcome.

By New Year 2014, the selfie-sharing site was confronted with an online data dump of 4,600,000 usernames and phone numbers, apparently acquired by means of this "theoretical" attack.

→ Fair enough, an attack can't be possible in practice without also being possible in theory, so Snapchat's claim was true. But the phrase "theoretical attack" is a loaded one, typically implying that the attack should be considered highly unlikely.

Clearly, the anti-data-scraping protection Snapchat claimed to have put in place hadn't worked that well.

Nevertheless, the company's curious response was to avoid apologising, suggesting instead that it had as good as closed the door on the attack through smart programming.

(Perhaps it meant that its preventative measures were merely "theoretical"?)

Honour, however, has now been restored, with Snapchat having recently issued a short statement that includes an apology:

This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.

This update also requires new Snapchatters to verify their phone number before using the Find Friends service.

Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.

From the announcement, it sounds as though you will have to enter a phone number - and verify it, presumably by replying to an SMS or emailing back a registration code - before you can look up other people by phone number.

That seems reasonable, as a way of making you accountable for what you subsequently do with the service.

What's not so reasonable is that if you want your own number to be unsearchable, you have to remember to go and opt out. (Presumably, therefore, everyone is searchable at least briefly, because you can't opt out until after you've handed over your number.)

Theoretically, at least, things really ought to be the other way around, where you subsequently opt in if you want your number to be found by others.

Of course, it would be a little unfair to pick on Snapchat over its choice of opt-out here.

Sadly, opt-out is the direction that online services prefer, at least where permitted by law, and the direction that we collectively seem to have accepted.

, , , ,

You might like

2 Responses to Snapchat blurts out the S-word

  1. anonymous · 600 days ago

    Does this mean that I have to opt-out of a service I don't have and don't want by downloading it,creating an account and then changing security settings? How is this not an invasion of privacy? The business practice behind ransoming my data so that I download a service to opt-out is frustrating to say the least.

    • Andrew Ludgate · 599 days ago

      Not in this case; if you're not using SnapChat, they don't have your info. That was NameTag (facial recognition system) that was gathering info on people who weren't using its service.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog