On the Snapchat user info leak/hack
Here’s an attempt to explain what the leak was, what it wasn’t and what it means, without getting carried away.
Following the recent news about Snapchat users’ account info being leaked, I figure it’s worth sifting through the media drama for what appears actually to have happened. It’s not as bad as the headlines make it out to be, though depending on how protective you are of your mobile number and how you chose your username, you might reasonably be concerned.
In case this post propagates further than I intend, readers should be aware that I don’t claim specific expertise in this topic, I have not examined Snapchat myself (except to the extent detailed in an earlier post), and that by training I’m an electrical engineer, not a computer scientist (though I’ve done some work with software). That’s my disclaimer. Obviously I have a reasonable degree of confidence in what I’m about to write, otherwise I wouldn’t be writing it, but I caution against taking any of this as authoritative, and I’ll make technical corrections if alerted to them.
1. Accounts weren’t compromised. The “hack” was just what anyone can do if they have copious amounts of time.
The leak was the association of mobile numbers with usernames. It uses the same mechanism that you can use through the app to add the people in your mobile’s contacts list. When Snapchat “finds” your friends, it just sends your contacts’ numbers to the Snapchat servers, and the servers send back the usernames associated with them. So if you wanted to find out lots of username–number associations, say to build a database of them, you could (as Snapchat admits) just add every phone number in existence to your contacts list, then “find your friends”.
Of course, that would take forever. But if you can figure out how to pretend to be the Snapchat app, then you can write a script to do basically the same thing, much faster. You don’t need to hack anyone’s account to do this (you can just use your own); you just need to figure out how to trick the servers into thinking that you are the app. That’s what Gibson Security figured out how to do: they reverse-engineered Snapchat’s API and figured out the keys that the app uses to “prove” to the server that it is the app. (It should be noted that GibsonSec says they did not mine the data. Someone else did.)
The flaw is not so much that this is possible (finding your friends from their numbers is a legitimate function) as it is that doing it en masse is possible. Snapchat (according to GibsonSec) hasn’t done rate-limiting on its servers for this function, so you can send millions of requests in quick succession. They shouldn’t really allow this—a normal user should never need to ask for so many.
But it’s also not the end of the world. Specifically, to my knowledge (and I only know what I have read on the internet and seen on TV), the leak doesn’t involve your real name, passwords, snaps (expired or otherwise), or the ability to use your account without authorisation. At least not yet. But GibsonSec’s disclosure (as far as I can tell) doesn’t give any mechanisms for doing so.
So how bad is it? If you’re private about your mobile number, and one can take a reasonable guess at your username from your identity (not guess your identity from your username—guessing your username is probably harder than it sounds, depending on how you picked it), then you will probably be worried that someone can infer your mobile number. If your username isn’t very guessable, isn’t used anywhere else, or if you don’t care about people knowing your mobile number, it’s probably not such a big deal.
2. If you’re outside America and Canada, you’re probably safe, at least for now.
This is just what they said, here and here. Presumably the leakers were too lazy to check numbers other than North American ones. For example, users with a New Zealand mobile number aren’t affected. But if you want to check if your number was affected by the leak, do so here.
Of course, until Snapchat applies a fix, someone else could come along and run the exercise for other numbers. If you’re paranoid about it, just remove your mobile number from your account in the app (this might involve uninstalling and reinstalling the app). Snapchat doesn’t require your number for the app to work; it just means your friends can’t find you unless you tell them your username or add them first, and when they do it doesn’t associate a display name with you (i.e., lots of inconvenience for your friends and none for you, unless your friends do the same thing). You shouldn’t, in my opinion, feel like you need to delete your account.
When I wrote about Decipher Forensics in May, I criticised them for over-hyping the impressiveness of their claims. No such criticism applies here: Gibson Security’s reverse engineering effort is admirable and their description is reasonably clear. They expressly pinpoint the flaw to a lack of rate-limiting in their disclosure and don’t (as far as I can tell, unlike Decipher) make any unwarranted jumps to conclusions. Also, Snapchat obviously didn’t intend for the secret keys to be found. The keys aren’t user-specific; they’re universal, solely to prevent third parties from pretending to be the app. I presume they’re probably hardcoded into the app somewhere, though I wouldn’t know for sure. Snapchat was perhaps naïve to assume they wouldn’t be found eventually.
But it would help for readers to understand exactly what the “hack” is. Fundamentally, it is the same as adding lots and lots of mobile numbers to your phone and finding all those “friends” on Snapchat—the hackers just found a more efficient way to do it. You should judge the severity of the breach on that basis.