Incident Response, TDR, Threat Management, Vulnerability Management

Snapchat API has several vulnerabilities, researchers report

In August, researchers with Australian-based Gibson Security, or GibsonSec, released an advisory highlighting privacy issues related to the application programming interface (API) for popular photo messaging app Snapchat.

The group – poor students with no steady income, as they refer to themselves – heard no response from Snapchat in the months that followed. They decided full disclosure was in the best interest of the app's users, so on Christmas Eve, GibsonSec released a comprehensive overview of the API and its vulnerabilities.

“Given that it's been around four months since our last Snapchat release, we figured we'd do a refresher on the latest version, and see which of the released exploits had been fixed (full disclosure: none of them),” the researchers posted to their website on Christmas.

According to the initial August release regarding the app's vulnerabilities, using GibsonSec's Snapchat API implementation, anyone can save media that is sent to them, build a database of usernames and phone numbers, and connect names to aliases and then to social media accounts. Someone could even hit a user with a denial-of-service (DoS) attack, the researchers wrote.

“We also found that if someone was able to gain access to Snapchat's servers, they could easily view, modify or replace snaps sent,” according to GibsonSec's August release. “With a couple of lines of [Python code], someone could view all your unread messages, and depending on the situation, modify and even replace the images completely.”

Exploiting Snapchat's ease of registration, the researchers added that a person could also create mass accounts, which could then be used for spamming.

A GibsonSec and Snapchat spokesperson did not immediately respond to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.