Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Snapchat Users' Phone Numbers Exposed To Hackers

timothy posted about 10 months ago | from the take-a-memo-it'll-last-longer dept.

Privacy 69

beaverdownunder writes with an extract from The Guardian, based on a security diclosure from Gibson Security: "Snapchat users' phone numbers may be exposed to hackers due to an unresolved security vulnerability, according to a new report released by a group of Australian hackers. Snapchat is a social media program that allows users to send pictures to each other that disappear within 10 seconds. Users can create profiles with detailed personal information and add friends that can view the photos a user shares. But Gibson Security, a group of anonymous hackers from Australia, has published a new report with detailed coding that they say shows how a vulnerability can be exploited to reveal phone numbers of users, as well as their privacy settings." Snapchat downplays the significance of the hole.

cancel ×

69 comments

Sorry! There are no comments related to the filter you selected.

Why in God's name... (0)

Anonymous Coward | about 10 months ago | (#45808497)

... would anyone give their real phone number to anyone who doesn't need it? I don't argue when a merchant asks for my phone number -- I just give them what they want. So any marketers who call me get to peddle their wares to whoever answers the pay phone at the Chevron station at the corner of Who-the-hell-knows St. and Nowhere-in-particular Ave., Seattle, Washington.

Re:Why in God's name... (4, Informative)

mstra (38238) | about 10 months ago | (#45808507)

Not defending it, but the way Snapchat works is that you find your "friends" based on their phone number. Not amazingly brilliant, but that's why.

Re:Why in God's name... (-1)

Anonymous Coward | about 10 months ago | (#45810009)

I'm "friends" with ur mom. you know what I mean. snapchat.

Re:Why in God's name... (3, Interesting)

Anonymous Coward | about 10 months ago | (#45808615)

Especially when they basically have lied about the photos being deleted [theguardian.com] .

Re:Why in God's name... (1)

Warhawke (1312723) | about 10 months ago | (#45814547)

They are deleted the same way that any normal OS deletes a photo -- removing the reference information from the drive header, thus marking the bits the data occupies as safe for rewriting. Until the bits are written over, the file remains intact. There's nothing at all disingenuous about stating the photos are deleted. Perhaps they aren't subject to a null-0 or random data string erasure, but the file is still, by all general computing definitions, deleted. Or do you think that pressing the delete key makes the file on your computer also disappear forever?

Re:Why in God's name... (1)

mwvdlee (775178) | about 10 months ago | (#45836951)

Except they're not deleted like in a filesystem either.

According to GP's link, they merely get a ".nomedia" suffix, which stops Android from recognizing it. The file is still there, it takes up diskspace, is not going to be overwritten, they can be handled as normal files and renaming the files to remove the suffix restores it completely.

Re:Why in God's name... (1)

Warhawke (1312723) | about 10 months ago | (#45840291)

That may have been true several versions ago, but it isn't true now. Just tried a forensic analysis on my rooted device and it did not recover any .nomedia files (other than ones I had placed in there for other programs). Yes, the data still remains on the drive, but it functions the exact same way as deleting a file using a file manager. The reason forensic analysis is able to recover the data is not because it is readily accessible on the drive but because the actual file information persists on the disk. From the third-to-last paragraph of the article:

The reality is that it is notoriously difficult to remove data from mobile devices simply because of the way data is stored using the 'wear levelling' technique. Since mobile devices are so regularly recycled for newer versions, this means that Snapchat photos that users believe no longer exist may be passed on to unknown third parties, and could be retrieved with forensic software.

Re:Why in God's name... (0)

Anonymous Coward | about 10 months ago | (#45808649)

You still have pay phones in the Seattle area? Darn, I didn't think there were any of those left in areas with cell reception. There is an area near Lassen Volcanic National Park in CA that has no reception where I see a pay phone or two, But in a metropolitan area? Wow, how 1980s...

Re:Why in God's name... (0)

Anonymous Coward | about 10 months ago | (#45812997)

Because most of the people who use it are idiot children.

LOL (0)

Anonymous Coward | about 10 months ago | (#45808503)

But they're going to keep your info safe from the NSA!!! LOLOLOLOLOL!!!

Stupid fucking hipsters and brogrammers.

Assume every service is compromised (0)

Anonymous Coward | about 10 months ago | (#45808509)

What do you do next, hotshot?

Re:Assume every service is compromised (0)

Anonymous Coward | about 10 months ago | (#45808583)

Shoot the hostage.

Then Snapchat a pic of the corpse.

Re: Assume every service is compromised (0)

Anonymous Coward | about 10 months ago | (#45808899)

Write it myself.

Dumb people (2, Insightful)

DogDude (805747) | about 10 months ago | (#45808521)

People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

Re:Dumb people (1)

blue trane (110704) | about 10 months ago | (#45808651)

Yes, security through obscurity is the best way.

Re:Dumb people (1)

DogDude (805747) | about 10 months ago | (#45808657)

It works well for telephone numbers.

Re:Dumb people (1)

Anonymous Coward | about 10 months ago | (#45808949)

You sure? [xkcd.com]

Re:Dumb people (0)

Anonymous Coward | about 10 months ago | (#45808661)

A lot of similar apps don't explicitly state the fact they're using your phone number. Some might mention it's used in order to contact your friends, but your average user might not connect the dots. They might not be tech geniuses, but they're not purposely just handing out their numbers either.

Re:Dumb people (2)

vlueboy (1799360) | about 10 months ago | (#45809065)

People who give out their phone number to random Internet "services" that they are not customers of quite frankly deserve to be assaulted by telemarketers at all hours.

You really think it's their fault? Common sense has never been too strong when compared to status quo and people follow by lead. Thankfully, that helped us win some battles, in the past. After all, people now know about firefox and Ubuntu without being geeks themselves. Because they followed a geek trend that eventually became mainstream.

But trends are exactly what all big and small companies are following now. You can't sign up to Yahoo, Hotmail or Gmail without being asked for a cellphone number. Since that is so normal, Facebook, Whatsapp and probably many others I haven't been asked to help with, are already making it a norm. My mother is mad that her FB App autofills her number on the login screen.

Since it has become the norm to be asked, people sooner or later give in. Or didn't most of us realize that RealName started out just like this, and yet few non-geeks ever obfuscate it on their Facebook and G+ profiles?
Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

Funny thought: Phone numbers are nothing --they're in the phonebook after all...
a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

Re:Dumb people (1)

vlueboy (1799360) | about 10 months ago | (#45809081)

Ultimately, the wise man is he who follows common sense despite trends, percentages and friendly pressures. But online nobody is truly wise with the NSA listening in.

Funny thought: Phone numbers are nothing --they're in the phonebook after all...
a really bad day for the web is the day some Dark Snowden comes to release some exploit with even a percent of the treasure trove of data that governments themselves have at their disposal.

Replying to myself:
We need to coin a new Godwin's type of law
How quickly can we bring up NSA-like involvement in some random online thread?
I dub thee "Snowden's Law"

Re:Dumb people (0)

Anonymous Coward | about 10 months ago | (#45809993)

Replying to myself: We need to coin a new Godwin's type of law How quickly can we bring up NSA-like involvement in some random online thread? I dub thee "Snowden's Law"

Except, Hitler is dead. The NSA lives.

Re:Dumb people (1)

aaronb1138 (2035478) | about 10 months ago | (#45810653)

Arguably, the NSA has hurt 5-7 orders of magnitude fewer innocents than Hitler.

I would even venture to say that like proposed large scale E85 adoption in L.A., Snowden has likely caused more unwarranted innocent deaths (via stress; i.e. heart attacks and blood pressure, arguments, fear, paranoia) than the NSA has previously per any equal time period.

Peeping toms (in the traditional sense) don't result in another person feeling genuinely raped. The Snowden/NSA is just public voyeurism about institutional voyeurism. One big circle jerk of the ignorant, where everyone gets off, but they all feel let down because that was the only way they could get off when they rather have a partner.

Re:Dumb people (1)

PlusFiveTroll (754249) | about 10 months ago | (#45812123)

I would venture to say that you cannot make any assumption from hidden information. The NSA holds almost all the information on what they have done and who they have given information to. You, on the other hand, don't know jack shit about what the NSA does, well other then monitoring most of the worlds communications. Therefore you are jerking it just as hard as everyone else in the circle.

Re:Dumb people (1)

mwvdlee (775178) | about 10 months ago | (#45836959)

Just like you giving out your email address to subscribe to Slashdot (which does not make you a customer), make you deserving of spam?

Snapchat... Yeah... (0)

Frosty Piss (770223) | about 10 months ago | (#45808569)

OK, doesn't concern me.

The Prison Niggers (-1)

Anonymous Coward | about 10 months ago | (#45808677)

Beware,wimpy white man. The Prison Niggers' elite hacking team can see the pictures you took of your clean, tight little white butthole -- and when that happens, they will destroy that cute little white butthole.

The Prison Niggers are the biggest and meanest prison gang in California and parts of New york. I knew a scrawny, pasty-faced white boy who took a lot of Snapchat pictures of his anus because he happened to have a girlfriend who had a fetish for the anuses of straight and dorky white men.

And whoa, boy, once the Prison Niggers hacked that guy's Snapchat, it was like catnip to them. Not only did they want more, but they must have more, so they used their freedmen contacts on the outside to throw a potato-sack over the hapless little white man, kidnapping him and gaping his poor lil' ol' rear end to Goatse proportions.

All that happened because a scrawny little white man thought he was smarter than the Prison Niggers, that the Snapchat "hack" was some nagging non-issue within his safe middle-class suburban house. Well, hoss, you got that all wrong now.

Re:The Prison Niggers (0)

Anonymous Coward | about 10 months ago | (#45808783)

How do you know that the parent isn't into big fat black hose up the ass?

The Trailer Trash Crackers. Ain't Trolling Fun? (0)

Anonymous Coward | about 10 months ago | (#45810967)

Beware,African American male. The Trailer Trash Crackers' elite hacking team can see the pictures you took of your clean, tight little black butthole -- and when that happens, they will destroy that cute little black butthole.

The Trailer Trash Crackers are the biggest and meanest prison gang in all parts of the US, mainly the deep south. I knew a scrawny, African American boy who took a lot of Snapchat pictures of his anus because he happened to have a girlfriend who had a fetish for the anuses of straight and dorky African American men.

And whoa, boy, once the Trailer Trash Crackers hacked that guy's Snapchat, it was like catnip to them. Not only did they want more, but they must have more, so they used their freedmen contacts on the outside to throw a potato-sack over the hapless little African American man, kidnapping him and gaping his poor lil' ol' rear end to Goatse proportions.

All that happened because a scrawny little white man thought he was smarter than the Prison Niggers, that the Snapchat "hack" was some nagging non-issue within his safe middle-class suburban house. Well, hoss, you got that all wrong now.

Re:Snapchat... Yeah... (0)

Anonymous Coward | about 10 months ago | (#45808849)

THANK GOODNESS.

I was on edge all day today, wondering whether this concerned you.

Now that I have my answer, I can reset easy tonight.

Re:Snapchat... Yeah... (2, Funny)

Frosty Piss (770223) | about 10 months ago | (#45808929)

THANK GOODNESS.

I was on edge all day today, wondering whether this concerned you.

Now that I have my answer, I can reset easy tonight.

You're welcome! I try! Sorry to stress you out, if only I had your phone number, I could keep you more up to date.

Re:Snapchat... Yeah... (0)

game kid (805301) | about 10 months ago | (#45809147)

Just make sure to save all documents and flush all cache to your disks before resetting.

867-5309 (1)

Joe_Dragon (2206452) | about 10 months ago | (#45808589)

just dial any area code.

Re:867-5309 (1)

istartedi (132515) | about 10 months ago | (#45809055)

I don't want to think too much about how many people on Slashdot will not get that reference [youtube.com] .

Re:867-5309 (0)

Anonymous Coward | about 10 months ago | (#45809109)

Funny thing is Tommy Two Tone is now a computer programmer. He may even read /. now!

Re:867-5309 (1)

EETech1 (1179269) | about 10 months ago | (#45809127)

Jenny!!!

Is that you?

Re:867-5309 (1)

gmhowell (26755) | about 10 months ago | (#45816873)

Sorry, you've got a wrong number; this is Stacy's Mom.

"due to an unresolved security vulnerability" (1)

rmdingler (1955220) | about 10 months ago | (#45808595)

Sure. In exactly the same fashion as unintended casualties are collateral damage.

This is verbiage of the initial Target press release. It sounds like my government talking to me.

Re:"due to an unresolved security vulnerability" (1)

Nyder (754090) | about 10 months ago | (#45808597)

Sure. In exactly the same fashion as unintended casualties are collateral damage.

This is verbiage of the initial Target press release. It sounds like my government talking to me.

They probably hired the same PR firm.

Re:"due to an unresolved security vulnerability" (1)

rmdingler (1955220) | about 10 months ago | (#45808773)

Probably, unless they are now fungible....

I love that term. Previously, I described the identical phenomenon with "Six of one or half a dozen".

Snapchat is right (1, Insightful)

murdocj (543661) | about 10 months ago | (#45808619)

This is a non-issue.
Guess what, there are these big books that list names and the associated phone numbers.

Re:Snapchat is right (1)

Anonymous Coward | about 10 months ago | (#45808633)

What is a non-issue? That their claims of protecting your phone number isn't actually true? That seems to only be a "non-issue" if you're on their payroll.

Re:Snapchat is right (1)

murdocj (543661) | about 10 months ago | (#45808647)

You mean that you can use the snapchat feature to see if a particular phone number is associated with a snapchat user? It's not like someone is hacking into their database and extracting a list of users. The "hack" is doing an upload of every possible phone number and seeing if there are any hits.

Re:Snapchat is right (1)

Kalriath (849904) | about 10 months ago | (#45821663)

... in the same way as reading the entire phone book to see which numbers belong to people is a "vulnerability" in the telco industry.

Re:Snapchat is right (1)

Anonymous Coward | about 10 months ago | (#45808701)

Those books, do they also contain pink pictures of the persons behind the numbers? Where can I get them?

Re:Snapchat is right (1)

murdocj (543661) | about 10 months ago | (#45808735)

There are these things called facebook and google that pretty much can get you anything that anyone has stored on the system of tubes.

Re:Snapchat is right (0)

Anonymous Coward | about 10 months ago | (#45808747)

Yes, the things that people have publicly decided to share. Not things that they are told are not being shared with the public at large.

Re:Snapchat is right (0)

Anonymous Coward | about 10 months ago | (#45808867)

Heard of them. Would never store anything there. Have never input any information into any of them.

Snapchat, phone numbers?! (0)

Anonymous Coward | about 10 months ago | (#45808693)

Who the fuck would put their real phone number in to some random application like Snapchat?

Seriously... Dumb much?

It's funny to watch the "normals" go through the idiocy we geeks saw 30 years ago.

Re:Snapchat, phone numbers?! (1)

masterofthumbs (2881445) | about 10 months ago | (#45837419)

Considering the application runs on your phone, it pulls the number from the phone automatically. You also need to log into the application using a username and password so the phone number isn't used for anything really affecting your login. The phone number is used to help anyone that has your phone number in their contacts to find you on snapchat. Unless you make your snapchat username the same as your real name, there is nothing tying some random collection of letters to your phone number other than this DB.

Also, the previous exploit only worked if you knew a valid phone number that also happened to be a snapchat user.

It's OK (3, Funny)

bigdavex (155746) | about 10 months ago | (#45808745)

But the phone numbers disappear after 10 seconds, right?

Hmmm (1)

wbr1 (2538558) | about 10 months ago | (#45808935)

Snapchat downplays the significance of the hole.

Isn't that their entire business model? Encourage more people to show of their naughty bits, therefore "downplaying the significance of the hole."

This is my shocked face (0)

gelfling (6534) | about 10 months ago | (#45808995)

I am shocked, shocked I tell you.

Public service announcement (2)

WOOFYGOOFY (1334993) | about 10 months ago | (#45809061)

For some of the younger readers: snapchat can't actually guarantee that your photo is deleted, so don't send anything you don't want all over the web, as ever.

For instance, anyone you send your photo to could screen capture your photo before it disappears, then pass that screen capture around.

Someone could also be between you and your recipient and be capturing everything you send.

Just so you know.

Re:Public service announcement (1)

CodeBuster (516420) | about 10 months ago | (#45816041)

In fairness even many non-technical adults get this wrong. Because they don't understand how technology actually works they fail to understand that "privacy controls" don't actually control anything. This is true because the data, whether "deleted" or not, continues to exist in the company's databases which are likely copied and backed up in many places. As the parent said, if you gave it to them once they have it forever. It should also be remembered that when a company is bought or sold, the new owners might decide to sell the data or use it for affiliate marketing or for other purposes. Your data is their coin and once they have it they never give it back.

Article is Baloney (0)

retroworks (652802) | about 10 months ago | (#45809085)

This "Gibson" firm got their name in the papers, for what? Because a hacker "may" be able to see phone numbers with a username attached. So what? Where I live they still print peoples names and phone numbers in the phone book, which is available at the public library. What exactly bad is going to happen when someone decides to hack Snapchat to obtain those phone numbers?

Re:Article is Baloney (1)

Kalriath (849904) | about 10 months ago | (#45821683)

The exploit according to Gibson is that Snapchat doesn't rate limit calls to "find_friends" to prevent massive automated brute force queries to get user details. In all fairness, considering the massive processing power behind Snapchat and the fact that your server is more likely to deplete its available resources before theirs (they're on Google App Engine apparently), there really should be rate limiting, even 1 request per second would make automated hammering non-viable.

Fake it (4, Insightful)

pubwvj (1045960) | about 10 months ago | (#45809131)

This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.

Obstificate.

Re:Fake it (0)

Anonymous Coward | about 10 months ago | (#45810111)

This is why I give out fake information. I have no reason to trust them so I give fake birthdays, fake phone numbers, fake addresses, fake names, what ever it takes. There is no reason to give them valid information. They are not to be trusted. You should pick and choose which information you want to give. Feel no obligation to answer a question truthfully just because some corporation asks you.

Obstificate.

Enjoy that while you can. I wouldn't be surprised with the attack on anonymity these days if actions like this aren't eventually deemed criminal.

(FYI, I 110% agree with you, and have used these tactics myself)

Re:Fake it (1)

pubwvj (1045960) | about 10 months ago | (#45812511)

You are probably right so let's enjoy our right to lie while we can. Let lying dogs sleep. :)

Re:Fake it (1)

qubezz (520511) | about 10 months ago | (#45810483)

This is why snapchat was worth $3B to Yahoo, you install it on your phone, where it can vacuum up your real contacts and other data from your phone and send it along to the server. If you don't put in your real name, someone else has.

Fret Not Possums (0)

Anonymous Coward | about 10 months ago | (#45809877)

Thanks to the "Judge" its all legal and protected by US laws.

How sweet.

"exposed to HACKERS"" (1)

Anonymous Coward | about 10 months ago | (#45810177)

But ONLY to "hackers", because they're like extraspecial and shit.

Phone Numbers are not private (1)

Hey_Jude_Jesus (3442653) | about 10 months ago | (#45810427)

We give them out to friends, family, retailers, employers and for thousand of other reasons. The same goes for an email address.

Yo momma so fat... (0)

Anonymous Coward | about 10 months ago | (#45811079)

...Snapchat deleted her photo before it had finished downloading.

Don't need 75000 queries to identif 75000 accounts (1)

fatphil (181876) | about 10 months ago | (#45811283)

Maybe only 17 queries are required. So even if they did to some kind of rate-limitting to prevent mass sucks of account names, they'd not stop the leak.

Number all the names you're interested in binary. If you have 75000 names, then the binary numbers will be 17 bits long. In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit. Store all the results. In the second query, do a lookup on all the 32768 contacts which have a set 15th bit, again, store those. In the third query, do a lookup on all the (16384+16384) contacts which have a set 14th bit, again store. After 17 queries, each contact will be returned in exactly the sets which correspond to the bits that are set in its binary number, but not the others. I.e. it will be uniquely identifiable.

Of course, the fix for the problem is for the doofera at snapchat to simply not return account names in the query, and this 4000x speedup will stop working as quickly as the original. However, anyone who's done a huge suck prior to that could leak it out, so it must be considered that your account name is known to everyone. Expect more targetted adverspamming...

Re:Don't need 75000 queries to identif 75000 accou (1)

wonkey_monkey (2592601) | about 10 months ago | (#45866475)

I'm entirely nonplussed by your post.

Don't need 75000 queries to identif 75000 accounts

What do you mean by "identify"?

Number all the names you're interested in binary.

Snapchat usernames? Or names of humans you suspect of having a snapchat account?

In the first query, do a lookup on the (75000-65536) contacts which have a set 16th bit.

What kind of lookup are you talking about?

Re:Don't need 75000 queries to identif 75000 accou (1)

wonkey_monkey (2592601) | about 10 months ago | (#45866535)

Okay, after finding this [gibsonsec.org] (who the hell presents a security disclosure as a single PNG?!) I'll have another stab at what you're suggesting.

Suppose you have 75,000 phone numbers you want to try to link to snapchat accounts. Snapchat allows (or allowed) you to specify at least up to this amount of numbers in a single query - the only trouble is, it won't tell you which of the many results you receive is associated with which of the numbers you sent in the query.

By doing ~17 queries on subsets of the 75,000 numbers, you can associate the numbers with their snapchat accounts.

But couldn't you just send 75,000 single-number queries and get the associated accounts directly? That might be more queries but it would be a lot less data going back and forth.

Snapchat users private parts exposed to hackers (1)

Jamie Ian Macgregor (3389757) | about 10 months ago | (#45814569)

who gives a crap about their phone numbers when their genitals are on display for the world to see.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?