HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 11 MINUTES AGO.
You are here: Home / Network Security / Snapchat Will Update Vulnerable App
Build Apps 5x Faster
For Half the Cost Enterprise Cloud Computing
On Force.com
Snapchat Will Update Vulnerable App
Snapchat Will Update Vulnerable App
By Barry Levine / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JANUARY
03
2014

Following news that as many as 4.6 million usernames and phone numbers were captured on its site and posted on the Web, social video company Snapchat said late Thursday it will release a new version of the vulnerable app. The company’s response to the breach raises more questions about how prepared businesses are to deal with such leakages of their confidential info, which are becoming more common.

The company has come under heavy criticism for its relatively slow response to addressing the problem, especially since the security group that discovered the flaw, Sydney, Australia-based Gibson Security, first reported it in August. A follow-up warning was published on Christmas Eve. Some of the criticism has been directed at Snapchat’s lack of apology for ignoring the warnings.

In its initial announcement in August, Gibson Security noted that the data obtained from the Snapchat vulnerability “could hypothetically be used to stalk” users, or it could be sold to companies that use the data in conjunction with other databases to create a more complete confidential data profile of users.

Encouraging Users to Find Friends

In a posting Thursday on its official blog, Snapchat noted that it first implemented Find Friends in the early days of the company, in order to encourage people to find other friends using the service. With the optional Find Friends, a user can enter a phone number into a profile, allowing offline friends to find the Snapchat username through the number.

Last Friday, Snapchat acknowledged the vulnerability that Global Security had highlighted. An attacker could upload a large number of random phone numbers, such as from a phone book, and then acquire large numbers of matching Snapchat usernames.

That’s exactly what happened on New Year's Eve, when a hacker or a group calling itself SnapchatDB! posted a database of phone numbers, usernames and the users’ regions. Snapchat said no other data was compromised. The hacker was apparently trying to operate at least partially in “white hat” warning mode, blocking out the last two digits of each phone number. But the posted database also contains the offer for anyone to submit an email to request the unredacted phone numbers, which would be considered “under certain circumstances.”

‘Reluctant at Patching the Exploit’

The information, SnapchatDB! said on the site, “is being shared with the public to raise awareness on the issue.” It added that Snapchat was “too reluctant at patching the exploit until they knew it was too late.” Gibson Security has said it has no connection to the hackers, and the company has criticized the posting of the user data. Gibson has also published a tool on its site so that users can find out if they’re in the purloined database.

As SnapchatDB! has pointed out, people tend to employ the same usernames on various sites, so the usernames could probably be found on Facebook, Twitter or elsewhere as well.

In its posting Thursday, Snapchat said it will be releasing an updated version of Find Friends that allows “Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," and there will now be improvements to “rate limiting and other restrictions to address future attempts to abuse our service.”

The Underside of BYOD

Rate limiting sets limits to the numbers of usernames that can be obtained through this feature. The other restrictions are unspecified, and the timetable for the fixes was not announced. Additionally, the company posted an email address for security experts to post any newly discovered vulnerabilities.

Snapchat’s adventures in security issues follows the recent hacking of Microsoft’s Skype and the information theft of millions of credit cards from Target. While Snapchat is exclusively a consumer app, the age of bring-your-own-device (BYOD) could mean that consumer security issues are business security issues as well.

Charles King, an analyst with industry research film Pund-IT, told us that Snapchat-like vulnerabilities are the underside of the BYOD proposition -- that companies “allow employees to use the tools they want to,” in order to be “maximally productive.”

But that means the consumer or business tools are vulnerable. King said that if he ran an IT department, he “certainly would” be concerned about this issue, but that aside from educating employees about the vulnerabilities and cautioning them to be aware, the only long-term solution might be implementing separate business and personal workspaces on mobile devices, such as the solutions Blackberry and VMware offer.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
ISACA® offers a global community of more than 115,000 IS/IT constituents in over 180 countries. We develop and deliver industry-leading certifications, education, research and business frameworks. We equip individuals to be leaders in the fast-changing world of information systems and IT - Learn More>
MORE IN NETWORK SECURITY
Product Information and Resources for Technology You Can Use To Boost Your Business

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.