The Snapchat security vulnerability is a story that has quietly grumbled on over the Christmas and New Year period, but is hopefully reaching some kind of resolution, at least for the bugs highlighted on Christmas Eve. To recapitulate, Gibson Security discovered potential exploits in Snapchat's Find Friends feature and informed the app's developers of them in August 2013. One of these bugs allowed someone to upload a list of random telephone numbers and match them to Snapchat users' names. The other allowed the creation of multitudes of dummy accounts. Bring on the spammers and maybe even stalkers, then. Although Snapchat made some moves to address the faults, it didn't close the loopholes entirely. Gibson Security, therefore, took it upon itself to document Snapchat's API on Christmas Eve, making the vulnerability obvious for anyone who wanted to abuse it. The hole was exploited on New Year's Eve, when 4.6 million of Snapchat users' partially redacted names and telephone numbers were published online, albeit for a limited period of time.
With the ante having been upped, Snapchat has been forced to issue an update to its app that patches the vulnerability. It hasn't been released yet, but when it is, it will allow users to opt out of the Find Friends feature after they have verified their telephone number. Snapchat has also stressed that no other information, including images, was accessed during the attack.
Bugs happen and so do security breaches; what matters is how companies and developers respond to them. Perhaps the most disturbing element of this situation isn't that Snapchat users' details could potentially have been exploited, but Snapchat's ostrich approach to security. Rather than addressing the situation thoroughly and immediately when first informed of it, it made a half-baked attempt to implement a patch that could still be exploited. When it was called out, it reacted slowly with a fix that is opt-in rather than opt-out, and it hasn't apologised to its users. Food for thought.
You can read what Snapchat had to say for itself on its blog.