Australian hackers have just given private instant-messaging service Snapchat its worst Christmas present ever. Detailed code for two Snapchat exploits is now publicly available online, as is Snapchat's API (application programming interface), thanks to the security firm that first found the flaws.
The Snapchat app, for iOS and Android, lets users send each other picture messages that self-destruct a few seconds after being opened so that no one other than the sender and recipient can see them. Intended to appeal to the security-minded, Snapchat has gained a reputation as a means of transmitting salacious and pornographic images. The app is also popular with teenagers looking to communicate outside their parents' watchful eyes, according to some reports.
One of the two posted exploits could be used to search Snapchat's entire user base for individuals' names and numbers — approximately 8 million accounts, according to a Nielsen study. The other could be used to create unlimited dummy Snapchat accounts in bulk. Together, the two exploits could undermine Snapchat's supposedly secure messaging service.
On Dec. 25, Gibson Security published the code for these exploits on its website, as well as Snapchat's API for Android and iOS mobile platforms. APIs, also called developer hooks, give developers the means to bypass an application's user interface and access its raw data. In this case, that means an enormous database of names and contact information from Snapchat's millions of users could be revealed.
Using this information, anyone could create a clone of the Snapchat API and use it to create fake accounts and gather information on other users to spam or even stalk them.
So why did Gibson Security make this code public? The security firm says it first contacted Snapchat in August 2013 to inform the company of the two vulnerabilities it had found, as per usual security etiquette.
However, Snapchat reportedly never fixed the vulnerabilities, or even responded to Gibson's messages.
Seeing that nothing had been really improved upon…we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking," Gibson Security posted on its website along with the Snapchat API and documentation of the two exploits, which appear to apply to Android and iOS equally.
A Gibson Security representative told ZDNet that the bulk account registration vulnerability could have been fixed with 10 lines of code.
Adding insult to injury, the Gibson Security researchers also say that Snapchat's claim of having a 70 percent female user base is false.
"They have no way to know the genders of their users," the researchers posted on their website.
These leaked exploits could hurt Snapchat's reputation in the business sphere as well. In the past few months, Facebook offered $3 billion to purchase Snapchat, and Google offered $4 billion, according to the Wall Street Journal. Both offers were declined.