Following security researchers announcing a way to match Snapchat usernames to telephone numbers, Snapchat has published a skimpy statement making the hack sound impractical and noting, “We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
Earlier this week ZDNet published an in-depth report on how white-hat Gibson Security researchers had tried to notify Snapchat of a way hackers could connect usernames to phone numbers for use in stalking, but were ignored. The GibSec team then published the exploitpublicly on Christmas Eve. Read ZDNet’s post for full details on how the hack works.
Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year, we’ve implemented various safeguards to make it more difficult to do.”
It goes on to note it’s added more barriers to the use of this hack.
There are no details on how these countermeasures work, such as rate limiting, bad IP blocking, or automated systems that scan suspicious activity when someone is trying to match names and numbers. The vagueness could keep the new barriers from being evaded, but doesn’t offer much comfort to users.
Snapchat correctly stresses there’s no easy way to discover someone’s phone number based on their username or vice-versa. And it explains that the ability to match names and phone numbers on a limited basis is very helpful for users trying to find their friends on the service through their phone’s address book. Still, the company’s statement doesn’t seem very sympathetic to people concerned about their privacy.