
Find Friends Abuse - michaelrbock
http://blog.snapchat.com/post/72013106599/find-friends-abuse
======
pkfrank
I really feel like SnapChat is fumbling this whole thing. They ignored the
security warning, and now seem to be blaming the security group for the leak
of info:

>On Christmas Eve, that same group publicly documented our API, making it
easier for individuals to abuse our service and violate our Terms of Use.

The funny thing is that folks on HN and in the tech community generally will
fault SnapChat for their callous attitude to security and pitiful response.
But 99.9% of their users won't know or care, and investors will consider this
a "lesson learned" and move on without a second thought.

Once the 24/hr news-cycle moves past the hyperbolic "SnapChat Hacked!"
headlines, this ordeal and their pathetic response will slip into the
forgotten-ether of low-impact data leaks.

~~~
superuser2
>callous attitude to security and pitiful response

How would you have designed this functionality in a way that isn't vulnerable
to the same attack?

Rate-limiting can slow you down, but you could run the script for months if
you wanted. Fundamentally Snapchat is using user-supplied data, and users can
lie.

Maybe we can check if they are lying by querying a database of people who have
verified that they know each other? Oh wait, that's Facebook. HN would be
boycotting on principle and screaming about violation of privacy.

~~~
hrktb
You seem to take position to defend the snapchat stance ... I read it as a
validation that there is a tradeoff made by design, and anyone caring enough
about privacy wouldn't have implemented the feature in the first place.

Privacy doesn't have to be the goal of every service, let's just admit that it
not a main concern of Snapchat either.

Of course Facebook also has a lot of leaky behaviors concerning finding
friends and friend suggestion. They also value service growth more than
privacy, and that's their right.

~~~
InclinedPlane
Put hard limits on the rate or total number of friend lookups per account,
especially if a lookup fails. Keep track of global lookups and lock down the
global lookup rate if there is a large number of failures. Keep track of
patterns in lookups. Disallow more than a few lookups for accounts that
haven't sent or received any messages. Require approval by the receiver for a
lookup based on a phone number before the username is revealed. Charge money
for phone number based lookups or require some sort of identification. Only
allow phone number based lookups from within the smartphone app, not via the
API.

And so on.

This is not rocket science, it requires mainly only that the devs legitimately
care about security and privacy. But if the problem is instead approached by
cavalier developers who are only reluctantly tackling the problem after having
been burned by bad PR due to previous breaches then the result will often be
half-assed engineering that does little to solve the problem.

The biggest issue for SnapChat is, to be frank, they are a bunch of dumb-asses
who got lucky and managed to cobble together a silly app that a lot of people
wanted to use. However, the foundation their app is built on is a degree of
privacy, but that privacy is just an illusion, it is not based on any
substantive engineering whatsoever and the SnapChat developers are too
clueless to actually take on the problems that need tackling. This is just the
first of what will ultimately be many failures at SnapChat which will
ultimately reveal the trust placed in the company to be completely misplaced,
causing their user base to evaporate. They should have taken the acquisition
offer, at this rate the chances of their company being in ruins in a few
months time is very, very high.

~~~
superuser2
>Put hard limits on the rate or total number of friend lookups per account,
especially if a lookup fails.

Easy: distribute the search across accounts. Also you'd expect most of the
lookups to fail (most people in your contacts won't be Snapchat users).

> Keep track of global lookups and lock down the global lookup rate if there
> is a large number of failure

Again, you expect a large number of failures.

> Disallow more than a few lookups for accounts that haven't sent or received
> any messages.

Using the find friends functionality is intended to get you started with
Snapchat. When you haven't sent many/any messages is when it matters most.

> Require approval by the receiver for a lookup based on a phone number before
> the username is revealed.

Many users (myself included) would consider notifications of this volume to be
spam.

>Charge money for phone number based lookups

I don't know anyone who would pay to use Snapchat.

>require some sort of identification

Yeah, because requiring strong identification totally makes privacy advocates
happy.

> Only allow phone number based lookups from within the smartphone app, not
> via the API.

Smartphone app has to communicate with Snapchat somehow, so the functionality
is going to have to be exposed via an API. iOS is closed enough that you might
be able to securely authenticate the app to the API, but AFAIK you can't stop
the user from getting the key out of an Android app if he has root.

I can't comment on Snapchat's competence overall, but none of your solutions
actually work. This is a nontrivial problem.

------
dsl
I implemented a "find friends" server side functionality for a mobile app (due
to a similar business requirement of allowing new users to locate friends).

After prompting the user for the ok, the mobile app would upload the entire
address book to the server. I would check for matches and return a maximum of
25% of total contacts as being valid (randomly so you wouldn't know which
numbers really didn't exist). If there were more hits they would be placed
into a queue and sent periodically as "your friend has joined!" notices which
also increased engagement.

Subsequent checks were done by again uploading the entire address book,
however I would check against the previously stored phonebook (numbers only
hashed with a per user salt) and limit the number of valid hits returned based
on the delta of the address book. So if you kept sending 1000 new numbers
every time, you wouldn't get any new matches.

It was also rate limited per account (which required a verified phone number).
All the logic took less than a few hours to think up and implement. Here you
go Snapchat, now fix your shit.

~~~
ch4ch4
At least you ask the user for permission- Snapchat doesn't even alert the user
before uploading the ENTIRE address book!

I take issue with this new generation of developers who seem to have no moral
or ethical boundaries on the invasion of privacy.

The whole "viral/social marketing" trend is also to blame, in addition to the
way that startup valuation puts so much emphasis on "traction" rather than the
actual tech or even a viable business model!

~~~
thaumaturgy
> I take issue with this new generation of developers who seem to have no
> moral or ethical boundaries on the invasion of privacy.

I do too, but I'm beginning to become convinced that most people really don't
care and really aren't bothered by it.

We've had numerous clients -- maybe most of them -- request or expect us to
keep track of the passwords for their online accounts for them. Privacy
erosions and violations by various businesses really haven't been that big of
a deal outside of tech circles. Just an hour or so ago, while on an errand, an
NPR guest was mentioning something similar, that her Facebook account had been
compromised but it didn't change the way she used the service. It wasn't
really anything more than a temporary inconvenience for her.

Earlier today, a client's personal Hotmail account was compromised. It was
being used to spam people on his contacts list. We got in touch with him to
give him the heads-up on it. His response was, "it's not a big deal, I don't
really care about that, I'm not even going to change the password on it."

We had one business client that supposedly took security very seriously.
Government funded and all that. They would routinely ask us to put new
procedures and safeguards in place, only to then turn around and immediately
try to work around them for convenience's sake.

This has been a tough thing to accept, but I really don't believe any more
that most people care at all about privacy or security. What they mostly want
is convenience.

And SnapChat is very convenient.

~~~
gibsonsecurity
This isn't an issue with convenience, this is an issue with Snapchat failing
to fix a vulnerability.

How relevant is find_friends to Snapchat now? Is it really needed? Are they
getting that many users building relationships for it? Is it worth damaging
Snapchats image?

~~~
thaumaturgy
I don't think you fully grasped what I was saying.

This won't damage SnapChat's image. At least, not among most of their
userbase.

They don't need to focus on fixing this or on coming up with a better response
because this isn't important to enough people.

~~~
gibsonsecurity
They won't see a huge amount of users deleting accounts, but I'm sure future
users will think twice before joining.

Also, the value of the company.

------
notlisted
Wow. Talk about a non-reaction. As if bad code resulting in the disclosure of
4.6MM numbers and IDs is a non-issue.

Posted something about this on FB, achieved zero reactions which really
surprised me, until I realized that some think it's only for sexting... and
thus nobody is willing to admit they've installed it (it's useful for other
stuff as well, I'm my own emoticon).

Several of my friends are in the list (known nicks match known numbers,
showing exactly what's the problem here).

Maybe I should post something on their wall? :-)

~~~
hindsightbias
> zero reactions

Brave new world. The kids don't care about security, and they don't read their
FB.

~~~
notlisted
Not a kid, nor are most of my friends (many are 29.99999999)

------
chris_wot
_On Christmas Eve, that same group publicly documented our API, making it
easier for individuals to abuse our service and violate our Terms of Use._

Security through obscurity? Great way of protecting your users.

It's pathetic that they believe that others haven't already worked out their
protocol and were using it.

Funny how they have had to quickly backtrack from this blog post:

[http://blog.snapchat.com/post/71353347590/finding-friends-
wi...](http://blog.snapchat.com/post/71353347590/finding-friends-with-phone-
numbers)

------
xSwag
There is an easier way to solve this issue: Bug Bounty.

It worked for Google, it worked for Facebook and its working for Yahoo!
Infact, it worked so well for Google that they recently increased the rewards.
A venture-backed startup like Snapchat that stores private pictures (even
temporarily) should have no trouble paying out $5k a few times for
vulnerabities.

~~~
octatone2
The problem is they did not see it as a vulnerability, they touted it as a
feature, and even made a blog post outlining how you could exploit it. That
was the most WTF event in following this story.

------
nostromo
It's hard for me to get too worked up over this.

I mean, do phonebooks still exist? They used to list everyone's numbers _and
their names and addresses_ and then leave them on everyone's doorstep. This is
just a (partial) phone number and username.

About the worst abuse I can think of is that you have someone's username from
another service, and you can maybe find their phone number.

This seems mild compared to, say, Facebook allowing you to search by email and
find a user's facebook profile.

------
octatone2
Why is user info presented in the clear to anyone who asks for it via their
api?

Here's a more sane approach I imagine:

Allow sending snaps to a phone number (rather than to a username - since you
would not know it the time), and attach a "friend request" as part of
delivery. When the person at that phone number retrieves the snap they have
the additional option of accepting the friend request which then (and only
then) exposes their user info to the originating party.

~~~
daurnimator
via MMS? that would be quite a bit of business AND development effort...
(which must be redone for each country of operation)

~~~
tantalor
Snapchat doesn't use MMS.

~~~
daurnimator
That was sort of my point

------
dudurocha
That is one of the worst 'apologies' from I startup I've ever read.

There is none " We fucked up, sorry, we're fixing it". They speak of the leak
as simple 'hack' like someone who was capable of finding all your friends
using facebook and random luck.

I hope they fix this right, and be more apologetic the next time.

------
teaneedz
A 322 word blog post, no apology and 6 instances of the word 'abuse'.

The PR message that Snapchat just sent is not a good one. Their target
demographic may not care much, but at the end of the day, this brand just
dropped a big ball and lost an opportunity to build something better.

------
Gurrewe
I tried to send a snap ( via
[http://kittenbot.gustav.tv/](http://kittenbot.gustav.tv/) ) to all the leaked
users. Turns out the app crashes a lot after around 10k friends. :D

------
Systemic33
So in a nutshell they are saying that some of their users are risky enough to
use a feature that discloses their phone number to them, and they consider
this information as non-sensitive data.

Snapchat is and will always just be a fad, it's the current social network
flavour of the time, and when something more interesting comes along, I will
bet that the 4.6M users will be inactive in no time.

This is also why their users aren't concerned with this leak, because the
premise in snapchat is a sort of leaking of your good and bad moments, with no
filter. But i'd be pretty sure that if it turns out they save the images and
videos, it would be much bigger of a deal, because it ruins this premise.

------
schappim
>"$10 to whoever shows me where the apology is in this. Still looking…" \-
carpeaqua

So true!

------
dannsfw
"We want to make sure that security experts can get ahold of us when they
discover new ways to abuse our service so that we can respond quickly to
address those concerns."

"Quickly" is a relative term here, I guess.

------
gibsonsecurity
We're going to be releasing a statement shortly.

Here:
[https://gist.github.com/anonymous/8231005](https://gist.github.com/anonymous/8231005)

------
smackfu
Did they not have a max phonebook size? Rate limiting doesn't matter if one
API call can do it all.

------
wfraser
"How dare they tell people about the insecure API we wrote and how it works!"

