Tiny Deathstars of Foulness, a site run by security researchers has leaked a large number of accounts from Snapchat. Mine is one. Luckily I don’t mind if people know my Snapchat username. Nor do I mind if my number, along with a few million others, is sold to some dastardly scamp who’s gonna’ what, call me and try to sell me crap (that happens anyway, including on my mobile)? Having said that, a lot of people are worried about their privacy. Especially if they’re using a tool like Snapchat to send pictures their wives or husbands might not appreciate them sending (I’m thinking Bobby Petrino here) or something more nefarious. So for those who are into privacy, or those who are just curious, how do you know if your snapchat information was part of the leak and do you care? Well, you could download the CSV and search within it (e.g. from Excel), here. You could also grab a SQL dump, here. If you don’t wanna’ download a huge file and parse through it, you can also just run a search at a site like that just parses through the simple SQL database as well. Screen Shot 2014-01-11 at 9.22.49 AMSimply go to the site, type your username or mobile number and click Check. If your information was leaked you’ll see a message similar to the following. Screen Shot 2014-01-11 at 9.23.22 AMNow, I was once quoted for saying “It’s not hacking if you know the password.” This is kinda’ how I feel about this exploit. Snapchat has a recent(ish) API that they have developed. An API allows other sites to interact with your site. Everyone under the sun has an API, including the most popular social networks such as Twitter, Facebook, etc. ┬áThe API allows those sites to exchange data. For example, my Fitbit can post to Twitter (not that I really do but it can) using the Twitter API. A lot of the bots that run on these networks leverage the APIs to do so. It’s an exchange of data. In fact, anyone can use these APIs. All you have to do is request a key. Most companies limit the rate of information that can be pulled down using an API via a feature called rate limiting, which limits the amount of queries that can be performed.Snapchat should implement such a feature. It would be go a long way in satisfying security researchers. Does Snapchat, a tool that touts anonymity, really need an API? Is this leak actually just a sign of much more severe security issues with Snapchat? Or, more to what I away from this, is the question of whether or not a developer should ever expose data specifically meant to be anonymized, to an API…

January 13th, 2014

Posted In: Mac Security

Tags: , , ,