Snapchat Update Addresses Security Hole 58
Snapchat has released an update to address the security problems exposed recently by Gibson Security and subsequently (and quickly) exploited. From the article: "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."
Big lesson (Score:5, Informative)
Pity that it took such a brutal action by GRC to change this companies point of view.
Re: Big lesson (Score:4, Funny)
They should have taken the $3 billion when they had the chance. These aren't real business people, they're techies who are holding on to a hot property. They need to know when to let the professionals start running things so they can turn it into a viable company.
Re: Big lesson (Score:4, Insightful)
You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?
Re: (Score:2)
Re: (Score:1)
GRC (Gibson Research Corporation) is different from Gibson Security, which seems to be an anonymous group.
Re: (Score:1)
NSA email (Score:5, Funny)
To: security@snapchat.com
From: NSAops@langly.gov
Subject: Latest Snapchat security update
We were using that you bastards!
Re: (Score:1)
From: security@snapchat.com
Sorry, had to for PR reasons. Another new version with new deniable hole will be released shortly. Details will be reported as usual.
Re: (Score:2)
Isn't it 'Langley'?
Re: (Score:3)
Isn't it 'Langley'?
As far as I know it's neither. Langley, Virginia is where the CIA HQ are located while NSA have their HQ in Fort Meade, Maryland.
Re: (Score:2)
To: security@snapchat.com
From: NSAops@nsa.gov
Subject: Latest Snapchat security update
Thanks for not really taking this seriously and just saying that you'll pay more attention next time when someone tells you that you have a issue. We were concerne
Caveat (Score:5, Funny)
...adding that emails sent to that address would be deleted after 10 seconds.
Re: (Score:2)
Re: (Score:1)
My friend used to be "abuse@microsoft.com", she was the only one who would bother to actually read and answer complaints. It was a thankless job, one that saved Microsoft many thousands if not millions of dollars by revealing some real snakepits before they became embarrassing, and detecting major spam senders early before they could DDOS the core mail servers. But lord, it wasn't pretty.
Still one of the stupidest things of 2013. (Score:4, Insightful)
Turning down 3 billion. Just months before a giant security leak that makes gobs of people leave their service...
Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...
Something tells me they won't be getting another offer in the billions.
Re: (Score:2)
Re: (Score:1)
Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...
Would have been me, but then, the problem is that people like us who think like this are usually not the ones who make it big to begin with. It is the people who are so driven, so willing to risk and gamble everything, who are not looking for a luxury beach life out but want to continue to spend 20 hour days working even more on their project, to take it even further, even bigger, even after they could score and settle... sigh..
Re: (Score:1)
I could see doing so for something unique and special and most of all... important.
but this is a chat program. a messenger program. Dime a dozen. one of many. just a few days ago we saw here on slashdot a list of other 'delete the message' programs to replace snapchat.
All they really had going for them was popularity. A fad. They are not special. Not unique. And now their popularity is severely damaged. The fad may die and they will be left with nothing.
That was a foolish thing to be driven for w
Re:Still one of the stupidest things of 2013. (Score:5, Insightful)
Don't be too sure of that. Purchasers routinely hire security experts to review the security of major acquisitions prior to the buy-out, with various stipulations in the agreement as to what types of findings will be the responsibility of which party. Such a review would likely have found the issue before it was announced publicly.
So few companies are smart enough to bring in security experts *before* they need them.
Re: (Score:2)
> Turning down 3 billion just months before a giant security leak
Coincidence?
Re: (Score:2)
No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost.
Re: (Score:2)
No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.
I agree, but the rapid development life-cycle is not solely responsible. Even in this day and age, most developers still don't have a good working knowledge of application security. I feel like this is a systemic issue with the education process. Across the teaching spectrum from post-secondary education to "teach yourself" books to boot camp instruction, application security is barely given a mention. Most of the developers that I have hired that did know something about it came from larger development
regression communications (Score:1)
this is what i look like on POT (Personal Open Terminal); (;^)-)=| so looks don't matter either
Too bad its news... (Score:2)
Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.
Anyway, I'm more and more convinced that keeping a successful product, taking responsibility for it and developing it further might be The Right Thing (for the customers and the code), but is not the right business strategy. If your product becomes successful enough to prompt a giga$ offer - sell. Immediately. If you really want to keep working on it, insist on keeping some t
Re: (Score:1)
Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.
What was a correct response? That they initially claimed this wasn't an issue and blew it off? [techcrunch.com]
Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.” It goes on to note it’s added more barriers to the use of this hack.
Looks like it was not as "theoretical" as they claimed.
Re: (Score:1)
And to add to my previous post, Gibson Security informed them of this hole in August [zdnet.com] and were ignored. In what way is waiting more than 4 months, letting exploit code be posted and user data be leaked before you actually do something a "correct response"?
Re: (Score:2)
Was my previous post so hard to understand?
Today's summary describes a correct response. I asked why stuff like this must be news, when it should, but clearly isn't, business as usual. How can "please inform us about any security problems here: x@y.z" possibly be newsworthy, not standard procedure since early beta? They could have handled the situation like this from the start. Unfortunately most young web/cloud companies do not care about security at all (heh, as if older ones were much better...) and do n
Re: (Score:2)
One more unrelated thing:
Unfortunately most young web/cloud companies do not care about security at all
This actually isn't nearly a stupid as it sounds, at least for anything "social". Your users tend to be young and careless or just generally not very privacy and security conscious. With a bit of luck noone will attack you for a while (until you're really big). If you can show quick growth during that time, you should be able to get a huge offer and sell out before any significant attacks happen, making security 100% SEP. Money spent on fixing vulnerabilities is money wasted in this
Re: (Score:2)
I'm not angry. Also, only doing anything after being exploited is not a correct response. Especially after handwaving the issue away by claiming the attack was only theoretical.
Re: (Score:2)
One more observation: once actually hit and forced to react by the PR consequences they react quickly and properly. This shows that they were never incompetent about this. They knew from the start how to handle the issue properly. They just didn't give a [CENSORED].
Maybe I'm wrong, but this looks a bit hopeless from the PR side. They had a good run and failed to earn from it. Oops.
Re: (Score:2)
Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.
It was not the correct response. They just "hand waved" it off when they were informed of the issue, basically saying that they knew better than the researches that found the exploit. Turns out that they were wrong and paid the price.
Re: (Score:2)
See my response to Desler's second response. I was referring to today's news, not their initial response. It is a correct response and exactly what they should have done initially.
Dang, seems my post was really misleading...
E-mail is not the best way (Score:1)
Evidently, If one cares about improving security quickly, spreading user data all over the web is the best way to let them know.
Re: (Score:2)
And it would be just great if the company didn't provide a way for the public to contact their security staff, right?
Oh sure (Score:2)
"Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."
I think it's a little too late to be closing the barn door now. The horses are all long gone. They had a major security breach and their chances of a sale or IPO have gone swirling down the toilet. The top Google search results will return news of this hack for years to come.
Unfortunately in this day and age of web application development the security aspects of many projects seem to be an afterthought if they are considered at all. Personally I hope that they and other developers learn from this and
Visualization (Score:1)