People are creative then it comes to finding exploits and security holes. This especially holds true when it comes to Snapchat’s security. The people at Gibson Security spent some time researching and disclosing issues they found with the popular social app’s web APIs. Surprisingly, Snapchat disregarded these publicly disclosed exploits.
Most of the information revealed is nothing out of the ordinary. It used a standard issue HTTPS API. Snapchat made sure their authentication process was solid (except storing their security secret as a unencrypted literal in the app’s installer package). They used SSL to secure the communications between the mobile app and their servers. Everything should be find, right? Not quite.
What Does Snapchat’s Security and Others Getting Hacked Have in Common?
Snapchat’s systems were locked down. You needed a key to enter. So, if everything is locked down how did they get all of their users information? Let me answer that question with another question.
Have you ever noticed when your log in attempt fails it doesn’t tell you why? Just, “You have entered a bad username and/or password”. Had it communicated that your username is correct but the password is wrong that would be considered an exploit. Why? Because you are revealing information about that data entered.
Snapchat Locked Everything Down, What Gives?
Encryption or lack of authentication wasn’t part of Snapchat’s personal data leak. Snapchat’s security exploit was related to an API method that supports the “Find My Friend” feature. During the process of finding your friends, the Snapchat server returns the full names, phone numbers and usernames of your “friends” found on Snapchat. This was intended to help add your friends to your Snapchat contact list.
So, you input a phone number and out comes your friend’s full name and username. Someone just needed to write a program that simply looped through all of the possible phone number possibilities, asked snapchat’s server if this number (or “friend”) was registered and Snapchat’s server responded “Yes it is and here is all their information”.
Because It Is Easier…
Proper authentication will only take you so far. The rest is up to how to architect your application and how you handle authorization. Shapchat’s “Find My Friends” supporting service was flawed. Their reasoning for using this flawed process was most likely laziness. It was easier to develop the “Find My Friends” feature if the response contain all the data necessary to complete the process. These opened up the application to the exploit.
I would say most smartphone apps have some security vulnerability or another. Snapchat has highlighted the vulnerable side of smartphone apps.. Limited resources and the need to quickly implement new features added to the failure to fix known security flaws.
How Should They Have Handled This?
Ideally, the implementation should only return a surrogate key in response to the phone number entered. Additionally, each Snapchat account should have some limit on find my friend requests. Both of these measures would limit the speed and usability of the data any wrong doers would get.
This is just the beginning. Instilling Trust and maintaining it will be next requirement if a company wishes to handle personal information. Just like how UL certifies extension cords for safety, new software standards and certification companies will begin to emerge.