Snapchat is largely dismissing claims that its built-in friend-finding feature could be used by hackers to discover users' phone numbers. A security group detailed the potential exploit in August, explaining that by uploading enough phone numbers through Snapchat's address-book-lookup tool, a hacker could eventually find the phone number that belonged to a person whose username they knew within the app. From there, the hacker might be able to stalk or harass that person, or simply sell the information for targeting to advertisers and spammers.
Gibson Security says the exploit could check 10,000 numbers in 7 minutes
Though it was allegedly alerted to the potential issue, Snapchat didn't respond until today — two days after the discovering research group, Gibson Security, published details of the app's private API, exposing how the exploit could be accomplished. Using this method, Gibson Security says that a hacker could check 10,000 phone numbers in just seven minutes. As its researchers put it, that amounts to "an entire sub-range in the American number format," meaning that out of "(XXX) YYY-ZZZZ — we did the Z's." With additional work, Gibson Security believes the tally could go as high as 5,000 numbers in a single minute. Fixing it may not be a huge ordeal, however, as it says that Snapchat could potentially resolve the problem just by limiting how frequently users can attempt to match phone numbers with usernames.
In a blog post today, Snapchat says that it has added some measures to prevent against such exploits, though it doesn't detail what. It even acknowledges that the exploit is possible, though it downplays how likely it might be for someone to actually do it. "Theoretically, if someone were able upload a huge set of phone numbers, like every number in an area code, or every possible number in the US, they could create a database of the results and match usernames to phone numbers that way," Snapchat writes.
"Maybe Evan Spiegel will fix it when someone finds his phone number via this?"
Snapchat also expresses some displeasure at Gibson Security's decision to publish details of the exploit, rather than working with it on a solution. "We are grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us," Snapchat writes. Presumably, Gibson Security isn't one of those — though the research group appears equally displeased with Snapchat's inaction. "Maybe [Snapchat CEO] Evan Spiegel will fix it when someone finds his phone number via this?" the researchers write.
Looking up users by their address book isn't a feature that's unique to Snapchat — and it's a feature that's come under fire in other apps over security concerns before. In this case, it's unclear whether Snapchat is alone in failing to prevent this reverse phone-number-lookup exploit, or if Gibson has only tested Snapchat. For now, Snapchat isn't saying whether it actually updated its app to address the problem at hand, but it's making it clear that it believes it's a nonissue.