FAQ - GibSec

  1. Who are you?
  2. Why Snapchat?
  3. What are you hoping Snapchat will do?
  4. Why do you think Snapchat didn't immediately respond and fix the exploit? (in August or the following months)
  5. Have Snapchat contacted you?
  6. Are these vulnerabilities fixed?
  7. Why should I care? What can someone do with my number anyway?
  8. Does this apply to people only in the U.S?
  9. How do I know if I'm in the leak? What should I do if I'm included in the SnapchatDB leak?
  10. Do you have any affiliation with SnapchatDB?

This FAQ was built: 2014-01-03.1388744057 - we may update it at a later date.

  • Gibson Security is a group of 3 security researchers/reverse engineers based in Sydney, Australia.
  • All members are currently students with no formal qualifications.
  • Snapchat interested us because we were initially interested in how "snaps" were sent and received, and the cryptography used (since the app was built around the idea of privacy). Originally it was going to be a private project, but after we discovered the vulnerabilities, we decided to try and contact Snapchat (in August of 2013). When this failed we thought it was best to publish our research.
  • We want Snapchat to take security more seriously. Setting up their [email protected] email, which Snapchat established on 02/01/2014 is a good start.
  • We also hope that Snapchat will closely audit their code base and implement precautionary measures to help prevent issues like this in the future.
  • We have no idea. Snapchat may have dismissed our findings as theoretical, indicating that they didn't take this vulnerability seriously enough.
  • We have no reason to believe the Snapchat did not know of our findings prior to our disclosures.
  • The only contact we've received from Snapchat was one email from Micah Schaffer (Snapchat's Director of Operations) on 28/12/2013.
  • We replied on the same day, indicating that we'd be glad to help Snapchat out, as several vulnerabilities did, and still do, exist.
  • At the time of writing (03/01/2014), we have yet to hear back from Snapchat.
  • There are some counter-measures in place, but there are currently ways to bypass them, as evident by the SnapchatDB release.
  • The real names of many users in the leak are contained in the usernames they use for Snapchat.
  • These usernames are often shared on many social media websites such as Instagram and Twitter.
  • In very little time, a malicious entity could cross-link between social media profiles, and potentially find out: where you live, what you look like, and your full name.
  • A malicious entity could sell that data to companies who would then build profiles on users, potentially (in a worst case scenario) leading to stalking, or the data being used to commit social engineering attacks (potentially leading to more data on the users).
  • No, the vulnerability can apply to any country, or target a specific person.
  • Due to the North American Numbering Plan, the attackers were able to quickly iterate through the area codes of various states, increasing the severity of the breach.
  • Thankfully, other countries may not follow such stringent and easy to iterate number patterns, which would make committing a similar attack harder outside of the US.
  • Users can visit our GS Lookup - Snapchat service to confirm or deny whether they were included in the leak.
  • Users may also visit snapcheck.org and Have I Been Pwned? to check, if they would rather not use our service.
  • We wrote some brief information on what to do if you're included on GS Lookup, but the gist of it is:
    • Don't panic! Be calm and collected when dealing with the breach.
    • You can delete your Snapchat account, however this will not exclude your data from the already circulated breach database.
    • Should you feel you'd rather unscrupulous entities not have access to your (partially obscured) phone number, you're free to contact your TelCo and request a new phone number. (Note: your carrier may charge a fee for this - some do, some don't)
    • Ensure all of your security and privacy settings are up to scratch on your current social media profiles. Don't share more than you need to. If a site doesn't require your phone number, don't give it to them.
  • We don't know SnapchatDB, nor do we condone their breach and release.
    • For the record we have never communicated with them, nor have we tried.
  • Whilst we don't condone the breach, we feel that this event should be taken as a wake up call by Snapchat, hopefully leading to their taking of security considerably more seriously from now on.