A security vulnerability in popular photo messaging service Snapchat could allow attackers to locate the phone numbers of many users in a short period of time, according to Gibson Security, a computer security research group.
The researchers published proof-of-concept code that abuses a legitimate feature of the Snapchat API (application programming interface) called “find_friends” to iterate through a large number of phone numbers and match them to Snapchat accounts.
Gibson Security first revealed this vulnerability in August, along with some other issues it found after reverse engineering the Snapchat API, the protocol used by Snapchat clients for Android and iOS to communicate with the company’s servers.
Snapchat is a popular messaging application that also allows users to share photos, videos and drawings. It’s best known for its photo self-destruct feature, where senders can specify a time period of a few seconds after which a picture viewed by the recipient is automatically deleted.
The Gibson Security researchers decided to release two exploits on Dec. 25 for the “find_friends” issue and a separate issue, because according to them, the company failed to fix the problems during the past four months.
The first exploit is a Python script that can iterate through a given set of phone numbers and return Snapchat account and display names associated with any of those numbers.
“We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers),” the researchers said. “We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ — we did the Z’s — in approximately 7 minutes on a gigabyte line on a virtual server.”
The researchers estimate that an attacker could test at least 5,000 numbers per minute.
“In an entire month, you could crunch through as many as 292 million numbers with a single server,” they said. “Add more servers (or otherwise increase your number crunching capabilities) and you can get through a seemingly infinite amount of numbers. It’s unlikely Snapchat’s end would ever be the bottleneck in this, seeing as it’s run on Google App Engine, which (as we all know) is an absolute tank when it comes to handling load.”
“Hopping through the particularly ‘rich’ area codes of America, potential malicious entities could create large databases of phone numbers and corresponding Snapchat accounts in minutes,” the researchers said.
The “find_friends” feature is normally used by the Snapchat apps to help users find their friends by checking if any phone numbers in the their address books match Snapchat accounts. According to the Gibson Security researchers, the solution to prevent this feature from being abused is to enforce rate limiting for API queries.
A second issue identified by the Gibson Security researchers stems from Snapchat’s lax registration requirements, which could allow attackers to register new accounts in bulk through the API. A separate script that can automate this process has been released as well.
Snapchat did not immediately respond to a request for comment.
Internet security experts have implemented a system to alert American consumers when sensitive personal information such as social security numbers and online banking log-in credentials turn up in the hands of cyber criminals.
AllClear ID, an Austin, Texas-based company that provides identity theft protection, is offering the free service with help from the non-profit National Cyber-Forensics and Training Alliance. The NCFTA collects information on identity theft cases from member organizations that include law enforcement agencies, big Internet retailers, banks and computer security companies.
NCFTA members will pass on information about fraud that they suspect, witness or prevent directly to potential victims who sign up for the service from AllClear ID.
Consumers can enroll in the service, which is available over the web as well as through an iPhone app, at www.AllClearID.com.
Google has purchased more than 1,000 patents from IBM, as part of its strategy to strengthen its patent portfolio to counter litigation, according to records of the United States Patent and Trademark Office.
Jim Prosser, a Google spokesman, confirmed the transfer, reported by a blog SEO by the Sea, but did not provide details such as the the purchase price Google paid for the patents.
Google also acquired another over 1,000 patents from IBM in July. It transferred recently some patents to smartphone maker HTC to help it pursue patent litigation against Apple.
Google has been interested in buying patents for some time now, which led to its failed bid in June for the patents of Nortel Networks, and its proposed acquisition of Motorola Mobility for about US$12.5 billion.
The tech world has recently seen an explosion in patent litigation, often involving low-quality software patents, which threatens to stifle innovation, Kent Walker, Google’s senior vice president and general counsel, said in a blog post in April.
“But as things stand today, one of a company’s best defenses against this kind of litigation is (ironically) to have a formidable patent portfolio, as this helps maintain your freedom to develop new products and services,” he added.
The acquisition of Motorola Mobility’s patents was a key consideration for Google to start talking to the company in early July. But Motorola told Google that it could be a problem for Motorola Mobility to continue as a stand-alone entity if it sold a large portion of its patent portfolio, according to a filing by Motorola to the U.S. Securities and Exchange Commission on Tuesday.
Like the patents from the previous patent transaction between Google and IBM, the range of inventions covered in the new set of patents is pretty broad, including desktop and server hardware, computer security, database processes, circuit design, parallel database systems and architecture, user authentication, majority of patents appear to have been originally assigned to IBM, but there were a few that started out at Cognos, which IBM acquired in 2007, and which was merged into IBM’s business intelligence offerings, it added.