Snapchat Admits Knowing About Security Flaws for Months

In the first public response to the leaking of 4.6 million usernames and phone numbers of Snapchat users, the company behind the hugely-popular messaging service admitted it knew about the security loophole month ago and would be releasing an updated app.

On New Year's Eve, an anonymous group of hackers known as Snapchat DB stole the information from Snapchat's servers and posted the information online, though it did redact the final two digits of each phone number to protect Snapchat users.

In a 27 December blog post, Snapchat - headed by 23-year-old Evan Spiegel - brushed off allegations that its app was wide open to attack saying that while it knew about the threats, they were only "theoretical" at this stage.

Trigger

This was likely the trigger for Snapchat DB, which is based in Europe and the US, which conducted its attack just four days later.

The security vulnerabilities in Snapchat's app were first pointed out in August by Australian company Gibson Security. The firm claimed that it could obtain 10,000 phone numbers of Snapchat users "in approximately 7 minutes on a gigabit line on a virtual server."

Gibson Security has denied any connection with this week's attack on Snapchat.

No apology

Snapchat called the hackers release of user information an "abuse" of its system and did not apologise to users over the breach.

It did however announce that it would be releasing an updated app which would address the main security vulnerability uncovered by the attack.

"We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," the company wrote.

Restrictions

Find Friends is the system by which Snapchat allows users to connect with friends by asking for their phone number, with the phone numbers attached to usernames rather than real names.

Snapchat added: "We're also improving rate limiting and other restrictions to address future attempts to abuse our service."

Rate limiting restricts how many times a party can query the Snapchat servers.

Speaking to Reuters, a spokesperson for Snapchat DB said: "Let's hope they aren't trying to downplay the situation once again and avoid the heat, but instead taking reasonable steps to secure sensitive user information. Actions speak louder than words."