Sunday, January 5, 2014

What Snapchat s hacking reveals

Even as Snapchat has become the latest internet darling, daring to reject multi-billion dollar acquisition deals, the young company has masked what some consider to be a dirty little secret: Its security may not be all that different from that of other big messaging services.

That secret was laid bare when a group of security researchers exploited a weakness in Snapchat's systems to snag and post usernames and telephone numbers for 4.6 million Snapchat users.

Snapchat has long marketed itself as a private and more secure alternative to services likeFacebook and its subsidiary Instagram. The app lets users send photo and video messages that disappear once they are viewed. That self-destruct feature initially gave the app a reputation as a favorite tool for so-called sexters, or those who send sexually suggestive photos of themselves, but eventually it went mainstream.
As of September, Snapchats users were sending 350 million photos a day, up from 200 million in June. The company continues to hire, has moved to a large, custom-designed office in Venice Beach, Calif., and is well-funded, recently adding $50 million in venture capital funding.

But researchers have long criticized Snapchat, saying it provides a false sense of security. They say the app's disappearing act is illusory. Behind the scenes, Snapchat stores information about its users in a database, similar to data storage at other big Internet companies.

On Wednesday, security researchers posted the usernames and phone numbers on a site called SnapchatDB.info and made the data available for download. Included in the data dump was information on Snapchats co-founder Evan Spiegel.

In an email, the researchers said they were able to snag the data through a vulnerability identified by Gibson Security, a company that privately notified Snapchat of the hole in its system, then, after the notice was ignored, posted the vulnerability online on Christmas Eve.

The hole was later patched. SnapchatDB.info's researchers said they posted the information because Snapchat was too slow to respond.

In an email, the security researchers behind SnapchatDB.info said they were able to grab Snapchat's user data from its servers, where it had been stored in clear text.

In an email, one researcher said the data was not being encrypted or "hashed" to make it difficult for hackers to piece together.

"They hadn't even implemented rate limiting," the researcher said.

Rate limiting is a measure to protect against website abuse. It limits the number of actions, such as login requests, that a website can process, to prevent abuse and so-called brute force cyberattacks, in which a hacker tries various combinations of usernames and passwords until access is gained.

"We were able to query for the information as fast as our connection allowed us to," the researchers added. "Our main goal is to raise public awareness on how reckless many Internet companies are with user information."

SnapchatDB.info's researchers said that to protect affected users, they redacted the last two digits of phone numbers but would consider handing over the data in aggregate.

On Thursday afternoon, Snapchat addressed the leak as a malicious hack.

"On New Year's Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks," the company said in a blog post.

Snapchat said it would release an updated version of its application that would allow users to opt out of the function that lets people search for friends using their phone numbers. The company said it was working to prevent "future attempts to abuse our service."

Snapchat sought to reassure users that it had adopted measures that would prevent spam and abuse.

"We don't display the phone numbers to other users and we don't support the ability to look up phone numbers based on someone's username," wrote the company. "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way," the company wrote.

On the evening of Jan. 1, Spiegel, the company's chief executive, posted a Twitter message saying that the company was "working with law enforcement" on the breach and would "update when we can."

The company sent a link to its Thursday blog post in response to a request for an interview.

The researchers said they wanted to pressure Snapchat to fix the security vulnerability: "It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does."

The leak could be a boon for competitive apps like Wickr, which also allows users to send self-destructing video and text messages and documents.

In a presentation at Defcon, the annual hacker conference, Stroz Friedberg, an electronic discovery company, did a head-to-head analysis of Wickr, Facebook's Poke app and Snapchat. The company found that it was able to pull sensitive data from both Facebook's app and Snapchat's but not Wickr's.

On Snapchat for Android, Stroz Friedberg's researchers found that images could be saved unopened to the phone and that the app permanently deleted a series of images only after the last one was viewed.

While they were unable to do the same for Snapchat messages exchanged through Apple's iOSoperating system, they were able to pull metadata - such as the time a photo was sent and received as well as the identity of the sender and receiver - from iPhones running iOS 5 and 6.

Wickr co-founder Nico Sell says that unlike Facebook and Snapchat, Wickr was designed to be a "zero knowledge system." It does not store user data on its servers.

"I know just like you do that a database is impossible to protect," Sell said in an interview Thursday. "The only way to be secure from criminals and attackers is not to hold anything."

"People don't realize they are giving away ownership when they use these other apps," she added.

The researchers who exposed the security hole said that they considered the leak "a success, as our intention was to raise public awareness" about Snapchat's security weaknesses.

Snapchat was not the only service to face security questions.

On Wednesday, the same day Snapchat user data was leaked, Skype's social media accounts were hacked by people claiming to be part of the Syrian Electronic Army. The company said no user information was compromised.

1 comment: