Press Release - Gibson Security

Snapchat Security Foiled, Massive Data Leak Found

Sydney, Australia - 08/27/2013 (MM/DD/YYYY)

Computer security group Gibson Security have released several severe vulnerabilities for the Snapchat application in their first e-zine, as well as information found about future advertising/monetization of the application.

Of the vulnerabilities released, an exploit was found in the Snapchat “Find Friends” function, allowing someone to easily create a database of the usernames and phone numbers of users of the Snapchat application, in a small timeframe, using phone numbers automatically provided to the app.

This vulnerability could hypothetically be used to stalk members of society, such as public figures or the data could even be sold to various firms, with the intent of using it and other data to connect online profiles to people in real life.

Another vulnerability Gibson Security released was a DoS (Denial of Service) exploit, which can be used to make the Snapchat application unusable, or even the host device the applications executed on.

Gibson Security also released details on the insecure methods Snapchat use to store and send media via its service. With publicly available libraries, one can decrypt and encrypt media for the service.

To tie the release together, Gibson Security also released information found in the Snapchat application that hints heavily at a new feature for native advertising, which Snapchat CEO Evan Spiegel has been hinting at to generate revenue. This released information was from new additions to the code of the Snapchat application with its recent update.

The updated Snapchat application contains code which when executed was discovered to show a persistent notification (displayed in a similar form to media notifications) that would only hide when a displayed URL was opened (by double clicking) in the user’s native browser, leading Gibson Security to believe it will be used for service-wide notifications and advertising.

Gibson Security is a computer security group with interests in mobile application reverse engineering.

Contact:
[email protected]
@gibsonsec (twitter)

Visit gibsonsec.org for the unadulterated release and images to match.