Forgot your password?
typodupeerror
Security Bug Upgrades

Snapchat Update Addresses Security Hole 58

Posted by timothy
from the you've-got-mail dept.
Snapchat has released an update to address the security problems exposed recently by Gibson Security and subsequently (and quickly) exploited. From the article: "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."
This discussion has been archived. No new comments can be posted.

Snapchat Update Addresses Security Hole

Comments Filter:
  • Big lesson (Score:5, Informative)

    by Anonymous Coward on Saturday January 04, 2014 @06:19AM (#45864193)

    Pity that it took such a brutal action by GRC to change this companies point of view.

    • by Anonymous Coward on Saturday January 04, 2014 @06:26AM (#45864205)

      They should have taken the $3 billion when they had the chance. These aren't real business people, they're techies who are holding on to a hot property. They need to know when to let the professionals start running things so they can turn it into a viable company.

      • Re: Big lesson (Score:4, Insightful)

        by DarkOx (621550) on Saturday January 04, 2014 @08:23AM (#45864427) Journal

        You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?

      • Well, the big problem here is how his CEOness handled the aftermath. This everything is everyone else's fault mentality he has is going to keep him from ever getting that three billion dollars. I mean when asked if it would kill him to take one iota of responsibility he answered "Yes".
    • by Anonymous Coward

      GRC (Gibson Research Corporation) is different from Gibson Security, which seems to be an anonymous group.

    • by not_a_bot (633300)
      I'm not sure they actually learned anything. If you look at the language "We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service ". It seems clear that they keep the public position that it is the researchers' fault for finding the holes and making Snapchat look like amateurs.
  • NSA email (Score:5, Funny)

    by Anonymous Coward on Saturday January 04, 2014 @06:23AM (#45864199)

    To: security@snapchat.com
    From: NSAops@langly.gov

    Subject: Latest Snapchat security update

    We were using that you bastards!

    • by Anonymous Coward
      To: NSAops@langly.gov
      From: security@snapchat.com

      Sorry, had to for PR reasons. Another new version with new deniable hole will be released shortly. Details will be reported as usual.

    • by Calydor (739835)

      Isn't it 'Langley'?

      • by TheP4st (1164315)

        Isn't it 'Langley'?

        As far as I know it's neither. Langley, Virginia is where the CIA HQ are located while NSA have their HQ in Fort Meade, Maryland.

    • by Fnord666 (889225)
      Given what we have seen so far there are probably so many weaknesses in this application that the NSA barely even noticed the loss of this one. Since it didn't give them access to the content it was a minor exploit at best. A more likely response is:

      To: security@snapchat.com
      From: NSAops@nsa.gov

      Subject: Latest Snapchat security update

      Thanks for not really taking this seriously and just saying that you'll pay more attention next time when someone tells you that you have a issue. We were concerne
  • Caveat (Score:5, Funny)

    by StikyPad (445176) on Saturday January 04, 2014 @06:32AM (#45864219) Homepage

    ...adding that emails sent to that address would be deleted after 10 seconds.

    • However, in a statement the company said it listens to customers and announced that all the reported security bugs and suggestions would be fixed and implemented in the next revision of the software - using self modifying code that overwrites itself with random bits after 10 seconds.
    • by Anonymous Coward

      My friend used to be "abuse@microsoft.com", she was the only one who would bother to actually read and answer complaints. It was a thankless job, one that saved Microsoft many thousands if not millions of dollars by revealing some real snakepits before they became embarrassing, and detecting major spam senders early before they could DDOS the core mail servers. But lord, it wasn't pretty.

  • by Anonymous Coward on Saturday January 04, 2014 @06:42AM (#45864237)

    Turning down 3 billion. Just months before a giant security leak that makes gobs of people leave their service...

    Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

    Something tells me they won't be getting another offer in the billions.

    • by pspahn (1175617)
      They said the same thing at the Alamo. Or was it an Isotopes game? Pfft. Either way, the sentiment is the same ... wait, who is Snapchat?
    • by Anonymous Coward

      Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

      Would have been me, but then, the problem is that people like us who think like this are usually not the ones who make it big to begin with. It is the people who are so driven, so willing to risk and gamble everything, who are not looking for a luxury beach life out but want to continue to spend 20 hour days working even more on their project, to take it even further, even bigger, even after they could score and settle... sigh..

      • by Anonymous Coward

        I could see doing so for something unique and special and most of all... important.

        but this is a chat program. a messenger program. Dime a dozen. one of many. just a few days ago we saw here on slashdot a list of other 'delete the message' programs to replace snapchat.

        All they really had going for them was popularity. A fad. They are not special. Not unique. And now their popularity is severely damaged. The fad may die and they will be left with nothing.

        That was a foolish thing to be driven for w

    • Don't be too sure of that. Purchasers routinely hire security experts to review the security of major acquisitions prior to the buy-out, with various stipulations in the agreement as to what types of findings will be the responsibility of which party. Such a review would likely have found the issue before it was announced publicly.

      So few companies are smart enough to bring in security experts *before* they need them.

    • by Chemisor (97276)

      > Turning down 3 billion just months before a giant security leak

      Coincidence?

      • No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost.

        • by Fnord666 (889225)

          No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

          I agree, but the rapid development life-cycle is not solely responsible. Even in this day and age, most developers still don't have a good working knowledge of application security. I feel like this is a systemic issue with the education process. Across the teaching spectrum from post-secondary education to "teach yourself" books to boot camp instruction, application security is barely given a mention. Most of the developers that I have hired that did know something about it came from larger development

  • Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

    Anyway, I'm more and more convinced that keeping a successful product, taking responsibility for it and developing it further might be The Right Thing (for the customers and the code), but is not the right business strategy. If your product becomes successful enough to prompt a giga$ offer - sell. Immediately. If you really want to keep working on it, insist on keeping some t

    • by Desler (1608317)

      Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

      What was a correct response? That they initially claimed this wasn't an issue and blew it off? [techcrunch.com]

      Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.” It goes on to note it’s added more barriers to the use of this hack.

      Looks like it was not as "theoretical" as they claimed.

    • by Desler (1608317)

      And to add to my previous post, Gibson Security informed them of this hole in August [zdnet.com] and were ignored. In what way is waiting more than 4 months, letting exploit code be posted and user data be leaked before you actually do something a "correct response"?

      • by akozakie (633875)

        Was my previous post so hard to understand?

        Today's summary describes a correct response. I asked why stuff like this must be news, when it should, but clearly isn't, business as usual. How can "please inform us about any security problems here: x@y.z" possibly be newsworthy, not standard procedure since early beta? They could have handled the situation like this from the start. Unfortunately most young web/cloud companies do not care about security at all (heh, as if older ones were much better...) and do n

        • by akozakie (633875)

          One more unrelated thing:

          Unfortunately most young web/cloud companies do not care about security at all

          This actually isn't nearly a stupid as it sounds, at least for anything "social". Your users tend to be young and careless or just generally not very privacy and security conscious. With a bit of luck noone will attack you for a while (until you're really big). If you can show quick growth during that time, you should be able to get a huge offer and sell out before any significant attacks happen, making security 100% SEP. Money spent on fixing vulnerabilities is money wasted in this

        • by Desler (1608317)

          I'm not angry. Also, only doing anything after being exploited is not a correct response. Especially after handwaving the issue away by claiming the attack was only theoretical.

          • by akozakie (633875)

            One more observation: once actually hit and forced to react by the PR consequences they react quickly and properly. This shows that they were never incompetent about this. They knew from the start how to handle the issue properly. They just didn't give a [CENSORED].

            Maybe I'm wrong, but this looks a bit hopeless from the PR side. They had a good run and failed to earn from it. Oops.

    • by Fnord666 (889225)

      Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

      It was not the correct response. They just "hand waved" it off when they were informed of the issue, basically saying that they knew better than the researches that found the exploit. Turns out that they were wrong and paid the price.

      • by akozakie (633875)

        See my response to Desler's second response. I was referring to today's news, not their initial response. It is a correct response and exactly what they should have done initially.

        Dang, seems my post was really misleading...

  • by Anonymous Coward

    Evidently, If one cares about improving security quickly, spreading user data all over the web is the best way to let them know.

  • "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

    I think it's a little too late to be closing the barn door now. The horses are all long gone. They had a major security breach and their chances of a sale or IPO have gone swirling down the toilet. The top Google search results will return news of this hack for years to come.

    Unfortunately in this day and age of web application development the security aspects of many projects seem to be an afterthought if they are considered at all. Personally I hope that they and other developers learn from this and

  • On the other hang, this was fun data to play with! http://algorithmshop.com/20140102-snapchat-leak.html#8683539695368214636 [algorithmshop.com]

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...