Now you see it…. and then maybe…
Snapchat, another messaging service that is supposed to delete content once it has been sent, recently suffered a “breach,” of sorts. No sensitive information was released but security researchers wanted to “expose” the vulnerabilities in the service so they gained access to data and then posted user names and phone numbers on a site called SnapchatDB.info and made the data available for download.
The security researchers stated on this website: “This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
They also cautioned that they redacted part of the info: “For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.”
Snapchat reportedly is going to update its applications to secure the data; from their website:
“We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.”
http://blog.snapchat.com/post/72013106599/find-friends-abuse
Security experts have been concerned by the false sense of security that some of these messaging services purport to provide their users.
See NYT blog for more info:
http://bits.blogs.nytimes.com/2014/01/02/snapchat-breach-exposes-weak-security/
UPDATE:
Snapchat reports of customer complaints of an increase in spam but denies that the activity is related to the “Find Friends” breach.
http://blog.snapchat.com/post/73216178814/snap-spam-update
UPDATE:
–Snapchat settled with the FTC – May 8, 2014–
From the FTC’s Press release:
According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
It appears the settlement was for corrective and compliance actions but no monetary payment.
See also, critique of Snapchat –
cyberpeg'd 