Snapchat's Security Vulnerabilities Fail to Disappearby
If only Snapchat’s security problems would vanish as quickly as its self-destructing messages. Alas, fans of the ephemeral photo-sharing service found out this week that there’s no self-destruct button for their Snapchat data once it has leaked online.
An anonymous hacker on Tuesday published a database on SnapchatDB.info containing millions of usernames and their corresponding phone numbers, and the leaked information quickly ricocheted across the Web. The situation comes as little surprise to anyone who has been following the company. For months, security experts at an Australian outfit called Gibson Security have been warning about Snapchat’s vulnerabilities. Here’s a nugget from a report published in August:
“Using our Snapchat API implementation, someone could save media sent to them … and as we recently found, build a database of Snapchat usernames and phone numbers, connecting names to aliases easily, and with further work connecting social media accounts to entries.”
In recent days, executives at Gibson Security have hastened to note that they were not involved in the leak. “We know nothing about SnapchatDB, but it was a matter of time til something like that happened,” the company wrote on Twitter.
So far Snapchat’s founders, as is their custom, have taken a subdued approach in responding to the warnings. “Over the past year we’ve implemented various safeguards,” the company posted on its website last week. “We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
For now, Snapchat’s founders can take some solace that the leak could have been much more damaging. “These aren’t credit card numbers, and these aren’t social security numbers—they’re phone numbers,” privacy expert Bob Sullivan told the Wall Street Journal. “This is far from ideal, but not the worst thing that could happen.”
Still, the leak poses a uniquely significant risk for Snapchat. Social media users tend to like the service in large part because its self-destructing messages make it feel like a fun, safe haven for communicating with friends—a refuge, that is, from data-hoarding sites such as Facebook and Twitter, where every utterance has the feeling of permanency. The danger for Snapchat is that leaks like this one inevitably chip away at that all-important sense of safety.
Since the dawn of Snapchat, numerous third parties have exposed various ways to undermine the service’s self-destructing mechanisms and to retrieve the supposedly dissolved messages. “To make something self-destruct for real is very difficult,” security expert Nico Sell told us last year. “I would say Snapchat only offers the illusion of self-destruction.”
To date, the pretense of security has been enough for Snapchat to retain its passionate users and attract lots and lots of new ones. The question is: How many more security breaches like this one can Snapchat survive before its customers finally lose their illusion?