Snapchat Exposed: Angry Hackers Post Exploit Code Online

Australian hackers have just given private instant-messaging service Snapchat its worst Christmas present ever. Detailed code for two Snapchat exploits is now publicly available online, as is Snapchat's API (application programming interface), thanks to the security firm that first found the flaws.

The Snapchat app, for iOS and Android, lets users send each other picture messages that self-destruct a few seconds after being opened so that no one other than the sender and recipient can see them. Intended to appeal to the security-minded, Snapchat has gained a reputation as a means of transmitting salacious and pornographic images. The app is also popular with teenagers looking to communicate outside their parents' watchful eyes, according to some reports.

MORE: Mobile Security Guide: Everything You Need to Know

One of the two posted exploits could be used to search Snapchat's entire user base for individuals' names and numbers — approximately 8 million accounts, according to a Nielsen study. The other could be used to create unlimited dummy Snapchat accounts in bulk. Together, the two exploits could undermine Snapchat's supposedly secure messaging service.

On Dec. 25, Gibson Security published the code for these exploits on its website, as well as Snapchat's API for Android and iOS mobile platforms. APIs, also called developer hooks, give developers the means to bypass an application's user interface and access its raw data. In this case, that means an enormous database of names and contact information from Snapchat's millions of users could be revealed.

Using this information, anyone could create a clone of the Snapchat API and use it to create fake accounts and gather information on other users to spam or even stalk them.

So why did Gibson Security make this code public? The security firm says it first contacted Snapchat in August 2013 to inform the company of the two vulnerabilities it had found, as per usual security etiquette.

However, Snapchat reportedly never fixed the vulnerabilities, or even responded to Gibson's messages.

Seeing that nothing had been really improved upon…we decided that it was in everyone's best interests for us to post a full disclosure of everything we've found in our past months of hacking," Gibson Security posted on its website along with the Snapchat API and documentation of the two exploits, which appear to apply to Android and iOS equally.

A Gibson Security representative told ZDNet that the bulk account registration vulnerability could have been fixed with 10 lines of code.

Adding insult to injury, the Gibson Security researchers also say that Snapchat's claim of having a 70 percent female user base is false.

"They have no way to know the genders of their users," the researchers posted on their website.

These leaked exploits could hurt Snapchat's reputation in the business sphere as well. In the past few months, Facebook offered $3 billion to purchase Snapchat, and Google offered $4 billion, according to the Wall Street Journal. Both offers were declined.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • kscot
    I won't a snap chat acont
  • Dax corrin
    Woo, make tons of money on the InterWebz... awesome. On topic, glad I'm not a SnapChat user...and the kind of money Google and Facebook are trying to throw at them are obscene.
  • sunflier
    Did the exposed code self-destruct too after a few seconds??
  • Rhinofart
    Time to make your own Chat app from the source code and sell it to someone for a mere 1 Billion.
  • p05esto
    The app is so pointless and stupid, I wouldn't pay $500 for it myself.... you get offered $4b for this YOU TAKE IT. Idiots. Wow, you send a pic and it gets deleted. Like that's some brilliant idea, neither is twitter, wouldn't a pennt for load of steaming crap. I really don't know why the business world is so stupid these days. Things are come crashing down hard one of these days and half of corporate america is going under.
  • dotaloc
    normally...with these apps, it is my understanding that you are basically paying for the user base, potential users, and their (expected) continued use. so, make any (supposed novel-idea based) new chat app and get a ton of users, THEN you can sell for a ton of cash. not so easy...
  • tolham
    "These leaked exploits could hurt Snapchat's reputation"

    and Gibson Securities' reputation as well. after this stunt, how can any company trust Gibson Security not to publish their security flaws? I hope they get their ass handed to them in court.
  • _Cosmin_
    So which is it: hackers or security firm that found/publish these flaws ? And don`t say hackers working at security firm (there is no such thing)!
  • Camikazi
    @tolham this is actually how a lot of white hats get exploits fixed, they find the problems and let the companies know what is wrong and how to fix it after a certain amount of time if the problem is not fixed they will send the information out to force the company to do it. It's nothing new and has been the standard for this type of thing for a very long time the difference is most companies tend to listen the first time they are told.