Breach, Data Security, Threat Management

Snapchat claims growing service caused spam increase, not 4.6M breach

Although a vulnerability in its exposed application programming interface (API) recently led to the usernames and phone numbers of 4.6 million individuals being posted online, Snapchat said Monday that an increase in spam is the result of a growing service and not the data breach.

“As far as we know, this is unrelated to the Find Friends issue [that was involved in the breach],” Snapchat wrote in a brief post.

Andrew Conway, a researcher with Cloudmark – a company that focuses on combating spam, told on Tuesday that this may or may not be the case.

“We don't know for certain if the spam is being sent to the 4.6 million users on the published list,” Conway said. “However, the breach revealed that the Snapchat API is wide open, and that simple scripts can emulate the Snapchat app. The spammers are using this fact to identify targets and send spam.”

Snapchat acknowledged and apologized for the recent uptick in “Snap Spam,” but even though the company told users that enabling the “Only My Friends” setting will minimize the amount of spam that enters their feeds, Conway said that this will not necessarily mitigate the issue. He explained that users can still receive heaps of friend requests, each with a snap attached.

Two spam campaigns are currently circulating in the Snapchat community.

One involves the inclusion of a nude photo and a message telling recipients to sign up to a chat service for more images, Conway said, adding the other party on the chat is actually a bot that automatically sends more photos if an app is downloaded. The other involves users being told they have a secret admirer, whom they are told they can reveal by downloading an app.

In its post, Snapchat said it would be taking measures to reduce spam. Conway said that one way of doing this is through rate limiting by device and the blocking of known bad IP addresses.

“If you are simply running a script that repeatedly creates new user accounts, they will all be coming from the same device and the same IP address,” Conway said. “This is easy to detect and you can limit new sign ups to, say, four per device per hour. The same for new friend requests and messages, though you have to set higher limits there.”

Summing it up, he added, “The point is to limit each device and each user account to levels of activity reasonable for a human, while blocking higher levels from scripts.”

Spammers typically use botnets to distribute requests over multiple devices, Conway said, explaining another measure that can be taken by Snapchat includes enlisting the services of companies that maintain lists of IP addresses known to be members of botnets.

Conway suggested in a blog post that Snapchat make it easier for users to report spam, as well. As it stands now, users have to go deep into the photo messaging app's settings and enter their username and password, he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.