Snapchat users, we have some potentially bad news. And it's not going away in six seconds.
According to Gibson Security, two security holes in Snapchat's API allow for the mass matching of names to phone numbers and the rapid creation of fake accounts.
The Australian hacker group says it's known about the exploits for months, citing this release from August. But it reports, as of now, Snapchat hasn't done anything to fix them. So Gibson Security published Snapchat's API and the two hacks on Tuesday.
ZDNet reports the code Gibson published is fully functional. And that's worrying for the app's estimated 8 million users because, as Ars Technica writes, "Users of the exploit could take that data and resell it for cash, as well as scam or stalk the Snapchat accounts they've identified."
How exactly the hacks work is pretty complicated.
The "Find Friends" exploit is what someone could use to identify users. It can reportedly match names and numbers, even if the account is private. (Via Apple / Snapchat)
And it's fast. According to Gibson's calculations, "We can assume that it would take approximately 20 hours for one $10 virtual server to eat through and find every user's phone number." The "Bulk Registration" exploit reportedly allows for account creation.
This, as Gibson notes, could rapidly create thousands of accounts, which could then spam Snapchat users. (Via Snapchat)
This could all be fixed, according to the hackers. And it would only take 10 lines of code. Gibson tells ZDNet: "Snapchat can limit the speed someone can do this, but until they rewrite the feature, they're vulnerable. They've had four months, if they can't rewrite ten lines of code in that time they should fire their development team."
That team has maybe been more focused on its freshly updated app. Now users can add filters and "replay" one snap every 24 hours. (Via Mashable)
Snapchat hasn't responded to any requests for comment on these exploits or even acknowledged whether they exist.