Jump to content

so much for SnapChat


crp

Recommended Posts

V.T. Eric Layton

Never even heard of it till I read this post. I must not be part of the "in" crowd. I don't do FaceBook, or Twitter, or any of this stupid gnat's attention span carp.

Link to comment
Share on other sites

Guest LilBambi

Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignored - ZDNet

 

Hackers have made sure that popular photo sharing app Snapchat got a hearty lump of coal for Christmas.

 

After having its security disclosure go ignored since August, Gibson Security has published Snapchat's previously undocumented developer hooks (API) and code for two exploits that allow mass matching of phone numbers with names and mass creation of bogus accounts.

 

The Australian hackers announced its publication of Snapchat's API and the two exploits on the GibSec Twitter account on Christmas Eve — which by time difference is Christmas Day in Australia.

 

Now anyone can build an exact clone of Snapchat's API and stalk the popular app's alleged 8 million users.

 

Much more in the article!

Link to comment
Share on other sites

  • 2 weeks later...
Guest LilBambi

From siljaline's second article:

 

Greyhat hackers have published the partial phone numbers belonging to more than 4.5 million Snapchat users after exploiting a recently disclosed security weakness that officials of the service had described as theoretical.

 

The database containing usernames and corresponding phone numbers for the majority of Snapchat users was posted to snapchatdb.info on the last day of 2013. Phone numbers published on the site were obscured by censoring the last two digits, but the anonymous people behind the posting said they might make the full version available privately.

 

Within 24 hours, the site was no longer accessible, but much of the data can still be found in search engine caches and mirror servers. The data has also been incorporated into Have I Been Pwned, a whitehat service that helps people track whether their personal information has been leaked online. The Snapchat data has likely also been downloaded by less scrupulous hackers for use in phishing and social engineering scams.

Link to comment
Share on other sites

Guest LilBambi

And this from siljaline's first one from The Verge on offering security fix:

 

Snapchat said today it would alter its app to make it harder for malicious users to collect and leak millions of usernames connected to phone numbers. The move comes after a group calling itself SnapchatDB rang in the New Year by leaking 4.6 million partially redacted phone numbers, in a stunt they said was designed to raise awareness about security flaws in Snapchat's app.

 

...

 

Update: Gibson Security, the group which originally warned Snapchat about the vulnerability in August, has responded to Snapchat's blog post. Offended by Snapchat's response to to its efforts, GibSec points out that Snapchat doesn't actually claim that the vulnerability has fixed, and has yet to apologize to its users.

 

Only harder? Not fix it completely?

Edited by LilBambi
Link to comment
Share on other sites

And this from siljaline's first one from The Verge on offering security fix:

 

 

 

Only harder? Not fix it completely?

I noticed that too. And how about the allegation that SnapChat is lying to advertisers about what it knows about its users? I think , if the rumors were true, a 3billion dollar bullet was dodged.
Link to comment
Share on other sites

  • 3 weeks later...

and what the flock is snap chat, exactly??

[please remember, temmu doesn't exist in this sub-modern era in which most live...]

as i understand it, instead of texting one would take a photo with a device , app would load said photo to a server, server would delete said photo after 2 minutes (thereby supposedly removing all evidence of said photo).

No, xBrToMf59v2w2sb3.jpg i don't get it either

Edited by crp
Link to comment
Share on other sites

Snapchat differs from other messaging apps in that the picture/message is delivered to the recipient's device where it can be viewed only once.

 

Snapchat did change things slightly with a recent update where you can "replay" a picture, etc once a day or something like that.

 

Adam

Link to comment
Share on other sites

Guest LilBambi

Snapchat's expired snaps are not deleted, just hidden

 

Forensic researcher Richard Hickman has discovered that Snapchatphotos on Android phones are merely hidden, not deleted, and are still available for retrieval with the right forensic software. He concluded that "metadata is stored for Snapchat images, as shown by the com.snapchat.android_preferences.xml file, and that it contains metadata about expired 'snaps' as well as unexpired 'snaps', and that images that are sent via Snapchat are indeed recoverable, and do not 'disappear forever'."

 

...

 

Hickman first sent some photos via Snapchat and then, using AccessData's Forensic Toolkit version 4.0.2.33, checked to see if they remained on the device. He found the files with the simple suffix .nomedia appended. This, explains Paul Ducklin in NakedSecurity, "is a standard Android marker that says, 'Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me'."

 

Apps that obey the Android rules will do that. Forensic apps that do not obey the rules will not. "AccessData's Forensic Toolkit recognised the .nomedia extension that was appended to the end of the file name and ignored it, displaying the images," wrote Hickman.

 

Well that's the end of the so called security of only viewing private images only once and supposedly they are gone after a few seconds, eh? Of course, Snapchat seems to think this is no problem at all...wouldn't that make you feel so much better about using their app for security of the images? And that they told the truth about them being gone?

 

The reality is that it is notoriously difficult to remove data from mobile devices simply because of the way data is stored using the 'wear levelling' technique.
Link to comment
Share on other sites

Well that's the end of the so called security of only viewing private images only once and supposedly they are gone after a few seconds, eh? Of course, Snapchat seems to think this is no problem at all...wouldn't that make you feel so much better about using their app for security of the images? And that they told the truth about them being gone?

 

In that case, it would be a trivial matter to simply change the app to delete the pictures from the device, rather than renaming it. Why did Snapchat do this? I have no idea, though it would seem they might be up to something fishy.

 

I never understood the draw of snapchat, but that's just me. For some, it would seem to serve a purpose.

 

In any case, I was in no way defending the company, only explaining how the app worked for those that did not know.

 

Adam

Link to comment
Share on other sites

Snapchat asks new users to prove they're not robotic spammers

 

Following Snapchat's recent username leak and increases in "Snap spam,"the company today rolled out an interesting security measure to ensure that new users aren't spambots. Upon signing up for the first time, Snapchat now displays a unique challenge-response test that asks you to "find the ghost" in various pictures. If you pick the photos with ghosts, you pass, but if you pick other photos (as a robot might), the app won't allow you to sign up.
Link to comment
Share on other sites

Guest LilBambi

Now all they need to do is delete the pictures from their servers and the devices and they would be much more in line with what their users need under the circumstances.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...