Snapchat spam gets an apology

Following revelations over Christmas of a potential software vulnerability in its 'Find Friends' service that could allow its users' names to be linked with their phone numbers and a subsequent security breach around New Year, the last thing that ephemeral-image-sharing app Snapchat needs is another bothersome bug. Especially when it was veeeerrry slow to offer an apology and a fix to the first one. But that's just what Snapchat's got. This time, its users are reporting the receipt of unusually high numbers of spammy 'snaps'. Snapchat's developers are insistent that this incident is in no way related to the festive season 'Find Friends' vulnerability and they're working on a fix for it. They've also apologised for the inconvenience, which is a definite improvement on last time. However, until they can push through an update, the best advice on offer for users to adjust their settings so that only their friends can send them snaps. There's no means to report a Snapchat spammer, only block her or him, but maybe with this spate of spam, a solution will emerge.

(More details on the Snapchat blog)

What's the situation with the Snapchat hack?

The Snapchat security vulnerability is a story that has quietly grumbled on over the Christmas and New Year period, but is hopefully reaching some kind of resolution, at least for the bugs highlighted on Christmas Eve. To recapitulate, Gibson Security discovered potential exploits in Snapchat's Find Friends feature and informed the app's developers of them in August 2013. One of these bugs allowed someone to upload a list of random telephone numbers and match them to Snapchat users' names. The other allowed the creation of multitudes of dummy accounts. Bring on the spammers and maybe even stalkers, then. Although Snapchat made some moves to address the faults, it didn't close the loopholes entirely. Gibson Security, therefore, took it upon itself to document Snapchat's API on Christmas Eve, making the vulnerability obvious for anyone who wanted to abuse it. The hole was exploited on New Year's Eve, when 4.6 million of Snapchat users' partially redacted names and telephone numbers were published online, albeit for a limited period of time.

With the ante having been upped, Snapchat has been forced to issue an update to its app that patches the vulnerability. It hasn't been released yet, but when it is, it will allow users to opt out of the Find Friends feature after they have verified their telephone number. Snapchat has also stressed that no other information, including images, was accessed during the attack.

Bugs happen and so do security breaches; what matters is how companies and developers respond to them. Perhaps the most disturbing element of this situation isn't that Snapchat users' details could potentially have been exploited, but Snapchat's ostrich approach to security. Rather than addressing the situation thoroughly and immediately when first informed of it, it made a half-baked attempt to implement a patch that could still be exploited. When it was called out, it reacted slowly with a fix that is opt-in rather than opt-out, and it hasn't apologised to its users. Food for thought.

You can read what Snapchat had to say for itself on its blog.