The phrase "additional counter-measures" isn't really the kind of thing you expect to find in one of your (presumably) favorite smartphone apps — unless there's some kind of Wargames-themed app on your phone.However, that's exactly what Snapchat developers are now deploying in response to this week's revelations by security researchers surrounding the matching of Snapchat user names to real-life phone numbers.The report, published by Gibson Security on Christmas Eve, details how one can use publicly available versions of Snapchat's API to perform mass-lookups of users' Snapchat IDs based on submitted phone numbers."We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers). We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z's) in approximately 7 minutes on a gigabit line on a virtual server," reads Gibson Security's blog post."Given some asynchronous optimizations, we believe that you could potentially crunch through that many in as little as a minute and a half (or, as a worst case, two minutes). This means you'd be railing through as many as 6666 phone numbers a minute (or, in our worst case, 5000!)."According to Gibson Security, the issue is allegedly fixable by adding rate limiting to the lookup request. That would stall the attempts of anyone trying to batch their way through Snapchat's eight-million-plus user base – which, Gibson Security notes, would take about "20 hours for one $10 virtual server to eat through and find every user's phone number."
Additionally, Gibson Security notes that Snapchat's "lax registration functionality" also makes it easy for one to mass-generate accounts for the service. That's not all that applicable to a common person,x431 but is certainly a juicy bit of news for Snapchat spammers.So, what is Snapchat doing in response? It's unclear just what, specifically, the service has done to address some of Gibson Security's claims, but the company did publish a new blog post on Friday that indicates they've done something."Theoretically, if someone were able upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S.united-promo, they could create a database of the results and match usernames to phone numbers that way. Over the past year we've implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse," reads Snapchat's post.While that might not be the most relaxing news to those concerned that strangers are running mass-lookups of their Snapchat information, at least it's some kind of response? We'll let you know if the Gibson Security team updates their findings based on Snapchat's tweaks.Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the annual subscription rate(s).GM TECH2 You may cancel at any time during your subscription and receive a full refund on all unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead.
No comments:
Post a Comment