With the coming of the new year came a new hack that was actually somewhat impressive in terms of its sheer scope, as around 4.6 million Snapchat users—specifically the usernames and matched phone numbers of said users—were exposed following a database hack. What's perhaps most galling to those 4.6 million users is that the database hack itself—or at least the means used to pull it off—had been known about for around four months before it even happened.
Word from SnapchatDB—where much of the information was posted--itself says that the hack was accomplished via an exploit that had been patched recently, but still proved to be sufficiently useful to cause the 4.6 million username / phone number expose to take place. Reports further suggested that not only did Snapchat know about the hack, but as recently as last week told the press that the hack in question was “theoretical.”
This comes on the heels of word from Gibson Security, who actually published chunks of Snapchat code that showed phone number matching could take place, calling attention to several specific exploits which Snapchat reportedly subsequently dismissed. While the SnapchatDB website was taken down following the hack, reports suggest that the database had been not only copied, but also torrented and mirrored on the Mega service. Interestingly, Gibson Security then responded with a Snapchat hack lookup tool so that users can check to see the impact of this particular hack. Several other websites did likewise.
Perhaps most interesting here is a further revelation from Gibson Security, which said that Snapchat could have fixed the potential hack rather easily, had it taken the security breach seriously. As it turns out, according to Gibson Security, fixing the breach would have taken just 10 lines of code.
This isn't the first time that a company was warned about a potential security breach by security researchers, only to turn around and dismiss the breach, often using the word “theoretical.” The idea that iMessage could be snooped upon was largely dismissed in such a fashion, until demonstrations took place to prove that the “theoretical vulnerabilities” weren't so theoretical at all, but rather, had practical applications ready to go. Even as far back as 1992, the word “theoretical” was used: L0pht Heavy Industries—a hacking group of the era—discussed an issue of a buffer overflow in Microsoft (News - Alert) software, an issue Microsoft described in an e-mail with L0pht thus: “That vulnerability is entirely theoretical.” L0pht later took the description for its own tagline, declaring that it was “Making the theoretical practical since 1992.”
It's something of a problem for all concerned. While users are regularly admonished to maintain proper security standards like strong passwords regularly changed and frequently updated antiviral programs, for companies to dismiss potential security hassles is particularly irksome. After all, when a user's computer is broken into because the firewall was off and the antivirus systems hadn't been updated in weeks, that's the user's fault. But the user can't take any blame for Snapchat deciding a hack was too “theoretical” to bother with, yet the information is just as exposed had the user actually done wrong.
In the end, there's only so much the user can do. Engaging in proper behaviors and protection methods is important for every user in the end. But when something like this happens, well, it just hits that much harder knowing that, even when the user does everything right, it still may ultimately be all for naught.
Edited by Cassandra Tucker
View all articles