
Researchers publish Snapchat code allowing phone number matching - firemedicpro
http://www.zdnet.com/researchers-publish-snapchat-code-allowing-phone-number-matching-after-exploit-disclosures-ignored-7000024629/
======
antics
I'm one of the authors of Snapchat FS [1]. In order to build this, my coauthor
Chad and I had to reverse engineer their API, which included decompiling the
Android APK and snooping around for the call site of util encrypt.

While a lot of the security problems they have could indeed be fixed, I think
it's worth noting a couple things.

* The Snapchat API is _fundamentally_ insecurable as it exists today. The problem is not that Snapchat could have secured their API against unauthorized access and simply failed to do so, it's that their API cannot possibly be secured, AND they happened to make some bad mistakes along the way. Even a serious security team would have been unable to lock everything down. They might have locked some of these issues down, but they would not have gotten all of them.

* So, while I sympathize with the feeling that Snapchat is anti-OSS and anti-hacker, realistically, I also sympathize with Snapchat's position. They don't have that many options. What are they going to do? Their public position -- i.e., that you should not break their TOS -- does not strike me as especially unreasonable considering that investing millions into security will still not give them a bulletproof solution.

* Also worth noting is that Snapchat does not unilaterally ignore security inquiries, or at least, they did not ignore me. I emailed them personally and the response I got (from a high-level employee) was warm and encouraging. I did not get the cold shoulder. In fact, I found our interactions quite pleasant, and it made me want to help them lock things down.

Ultimately I think it's easy to write off the team as just a bunch of
incompetent fools, but let's be realistic here: _it 's easier to break things
than make them provably unbreakable_.

Again, yes they've made some bad mistakes, but posturing about breaking a
system that cannot be secured is perhaps not the best use of Gibson's obvious
talent. The same also goes for the many other security researchers who've
audited the API.

[1] [https://github.com/hausdorff/snapchat-
fs](https://github.com/hausdorff/snapchat-fs)

~~~
gibsonsecurity
Hi, I'm one of the authors of the above release [1], and the exploit we
primarily talked about (find_friends) isn't really an issue with the protocol
as a whole.

We understand the need to support legacy clients, but Snapchat could easily
limit the damage this exploit could do.

It wouldn't be that hard for them to make the best of what they have, by
auditing all the code that typically has these exploits, and from that point
onwards, also auditing riskier areas in the code base periodically.

But yeah, we have seen an improvement in some of the Snapchat client code,
which indicates there are probably some bright new developers that have just
joined the team. We just find it pretty bad that in this time, we haven't seen
attempts (on our end, server side may be different) to secure the protocol.

Also regarding communication, we haven't heard a word from Snapchat in 4
months, neither has the reporter of this story, Violet Blue. If any of the
guys from Snapchat are reading this (or you can pass on a message), tell them
they're free to message us at security@gibsonsec.org.

We're pretty easy to contact. [1]:
[http://gibsonsec.org/snapchat/fulldisclosure/](http://gibsonsec.org/snapchat/fulldisclosure/)

 __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __*

Just saw your edit, the purpose of this release wasn't to tell everyone we're
the nth person to reverse engineer Snapchats protocol, but rather to bring
attention to the particular vulnerabilities.

I can speak for the rest of our team, and we're pretty sick of Snapchats
protocol, and this will most likely be our last release regarding it.

(Also I noticed newlines broke, kinda fixed that)

~~~
antics
Yeah, I agree with pretty much everything you said. I too think they could do
a lot of things better. Yes, they've been really really slow to fix known
issues. I did not mean to denigrate your work, which seems solid. :)

I'm just saying, 9 months down the road, if they had the optimal version of
their security protocol, someone could still break in and write a post that
"audits" it, just like we get every couple of months on the HN frontpage.
Everyone would laugh, again. Some people would know that it's as good as it
gets, but most people would just be in it for the circle jerk. There's no win
for them here. That's all I'm saying.

*

Also, seeing your edit responding to my edit, sorry, I sometimes post before I
work everything out perfectly. This isn't really an indictment of you guys
specifically. I think your work is great.

~~~
gibsonsecurity
Thanks, and that's totally fine. I agree with you, Snapchats definitely flawed
from the start, but as long as we get rid of gaping holes in their security
such as the find_friends exploit, at least they're halfway there.

(OT, but you have a really cool project list btw :P)

------
kaivi
I have been following with their API changes since it's major update in early
2013, and anyone could have exploited the phone lookup function easily,
because everything is there in the open. I was surprised by how easy it was to
decompile the Android app:

    
    
      public static boolean NEEDS_FUCKED_UP_NEXUS_422_SETTINGS()
    
      Timber.d("Looks like camprevs gon hide dis shit", new Object[0]);
    

There really is no way for the Snapchat team to completely prevent others from
reversing their API. A client is the endpoint after all. In order to make
things difficult for hackers, they could do the following: 1\. Implement a
custom protocol over TCP/IP, kind of what Skype does. 2\. Obfuscate the hell
out of it and everything else. 3\. Roll out new updates with both APIs. 4\.
After a reasonable amount of time, break backwards-compatibility on server
side.

~~~
gibsonsecurity
Hahahaha, I don't think making it harder to reverse would be any better, it
would probably motivate people even more (deobfuscation is too much fun and
fairly easy!).

They should really just focus on improving what they have and pushing clients
towards a safer protocol slowly.

Snaps being stolen will always happen, but I do like the approach Instagram
took to preventing spammers (getInstagramString(), it stopped everyone until
they adapted!).

~~~
kaivi
Yep, but at least that would be fun, don't you agree?

I also wonder why didn't anybody set up a Snapchat bot yet: it could
successfully impersonate multiple humans by forwarding snaps between pairs of
unsuspecting users, gathering a lot of data that way.

~~~
rmccue
Actually, I know of one set up by a friend: snaproulettebot. You send a snap,
and it sends you a random one back later from another user. Being called
"snaproulettebot" makes it pretty obvious what it is, but you could do it in a
more opaque way.

------
lechevalierd3on
And 4 Billions dollars was not enough...

------
zmanian
The user experience that has contributed to Snapchat's success is the ability
to message with untrusted partner with constraints established by the central
server and client. The biggest constraint is certain level of inconvenience in
logging and redistributing the contents of the conversation.

Snapchat's business value could evaporate if clients that subvert the
constraints on the user experience proliferated. The discussion seems to
indicate that the technical barriers to this outcome are deeply inadequate.
Snapchat looks like they are primarily going to use mechanisms to block the
distribution channels of the Play Store and iTunes to ensure user experience
integrity. This has the potential to fail catastrophically.

------
davidgerard
In further news, DRM is _still_ mathematically impossible.

------
camus2
So basically Snapchat app cant know what client is legit and wht client is
not, so you could write your own snapchat client ?

~~~
21echoes
this is pretty fundamentally true of clients in general... if the code is on
my machine, i can modify it, end of story.

------
muratmutlu
Hey Gibsonsecurity,

Just wondering about Snapchat's claim to have 70% users.

Could they have possibly run the names of users through a gender DB to get a
rough percentage?

~~~
gibsonsecurity
We thought about that, and it would be pretty misleading. If they did find out
data that way, they should really tell people how inaccurate it can be.

~~~
datapolitical
Why not just take a random sample of 5000 users and look at their snaps to
determine if they're male or female? You won't be exact but you'll know if
it's 70% women instead of 50%.

~~~
gibsonsecurity
Obvious privacy reasons that would probably get Snapchat sued, but otherwise,
yes that would probably work.

------
Kiro
This changes nothing.

